ACLs/ACEs
Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc).
Some of the Active Directory object permissions and types that we as attackers are interested in:
GenericAll - full rights to the object (add users to a group or reset user's password)
GenericWrite - update object's attributes (i.e logon script)
WriteOwner - change object owner to attacker controlled user take over the object
WriteDACL - modify object's ACEs and give attacker full control right over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user's password
Self (Self-Membership) - ability to add yourself to a group
Enumerate with powerview
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")){$_}}
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")){$_}}
The picture above is the example of enumerating ACLs in the Active Directory, here is the explaination:
Object (User) target.
The user that have access to that object
The access tipe is "GenericAll" mean to excessive.
GenericAll
Exploit with reset password
(GenericAll, ForceChangePassword, AllExtendedRight)
Add user to Group
(GenericAll, GenericWrite)
WriteDACL
Reference:
Last updated