Enumerating ACLs in Active Directory

This playbook covers the process of enumerating Access Control Lists (ACLs) in Active Directory environments. ACL enumeration is crucial for identifying potential attack paths and understanding the permissions structure within a domain. The importance of understanding the enumerations of ACLs cannot be over emphasised.

Key Concepts:

  • ACL: Access Control List
  • ACE: Access Control Entry
  • SID: Security Identifier

Enumerating ACLs with PowerView

PowerView is a powerful tool for ACL enumeration in Active Directory environments.

Summary

  • Use PowerView’s Find-InterestingDomainAcl function for initial enumeration
  • Perform targeted enumeration using Get-DomainObjectACL
  • Utilize the -ResolveGUIDs flag for human-readable output

Steps:

  1. Import PowerView module
  2. Convert target username to SID
  3. Use Get-DomainObjectACL with the target SID
  4. Analyze the output for interesting rights

Example:

Import-Module .\PowerView.ps1

$sid = Convert-NameToSid wley

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Using Built-in PowerShell Cmdlets

When PowerView is not available, built-in PowerShell cmdlets can be used for ACL enumeration.

Summary

  • Use Get-ADUser and Get-Acl cmdlets
  • Create a list of domain users
  • Iterate through users and check for specific access rights

Steps:

  1. Create a list of domain users
  2. Use a foreach loop to iterate through users
  3. Use Get-Acl to retrieve ACL information
  4. Filter results for specific users or rights

Example:

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\wley'}}

Enumerating ACLs with BloodHound

BloodHound provides a graphical interface for visualizing and analyzing ACLs.

Summary

  • Upload data gathered with SharpHound ingestor
  • Set starting node and explore Outbound Control Rights
  • Utilize the Help menu for attack guidance and OPSEC considerations

Steps:

  1. Upload SharpHound data to BloodHound
  2. Set starting node (e.g., user wley)
  3. Explore Node Info tab and Outbound Control Rights
  4. Investigate First Degree Object Control and Transitive Object Control
  5. Use the Help menu for detailed attack information

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED

SQL Injection Attacks: Complete Security Guide

Learn SQL injection techniques including authentication bypass, union-based attacks, and database enumeration. Complete guide with examples for developers.

More

SQL “AND”, “OR”, “NOT” Operators Complete Guide

Master SQL logical operators AND, OR, NOT with practical examples. Learn operator precedence, symbol shortcuts, and real-world query optimisation techniques.

More

SQL Statements: Guide for Modern Data Workflows

Master essential SQL statements including INSERT, SELECT, DROP, ALTER, and UPDATE. Complete tutorial with examples and security best practices.

More

MySQL Security: Complete Beginner’s Guide 2025

Learn MySQL fundamentals, database security, and SQL injection prevention. Master command-line tools, table creation, and secure coding practices today.

More