Enumerating ACLs in Active Directory

This playbook covers the process of enumerating Access Control Lists (ACLs) in Active Directory environments. ACL enumeration is crucial for identifying potential attack paths and understanding the permissions structure within a domain. The importance of understanding the enumerations of ACLs cannot be over emphasised.

Key Concepts:

  • ACL: Access Control List
  • ACE: Access Control Entry
  • SID: Security Identifier

Enumerating ACLs with PowerView

PowerView is a powerful tool for ACL enumeration in Active Directory environments.

Summary

  • Use PowerView’s Find-InterestingDomainAcl function for initial enumeration
  • Perform targeted enumeration using Get-DomainObjectACL
  • Utilize the -ResolveGUIDs flag for human-readable output

Steps:

  1. Import PowerView module
  2. Convert target username to SID
  3. Use Get-DomainObjectACL with the target SID
  4. Analyze the output for interesting rights

Example:

Import-Module .\PowerView.ps1

$sid = Convert-NameToSid wley

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Using Built-in PowerShell Cmdlets

When PowerView is not available, built-in PowerShell cmdlets can be used for ACL enumeration.

Summary

  • Use Get-ADUser and Get-Acl cmdlets
  • Create a list of domain users
  • Iterate through users and check for specific access rights

Steps:

  1. Create a list of domain users
  2. Use a foreach loop to iterate through users
  3. Use Get-Acl to retrieve ACL information
  4. Filter results for specific users or rights

Example:

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\wley'}}

Enumerating ACLs with BloodHound

BloodHound provides a graphical interface for visualizing and analyzing ACLs.

Summary

  • Upload data gathered with SharpHound ingestor
  • Set starting node and explore Outbound Control Rights
  • Utilize the Help menu for attack guidance and OPSEC considerations

Steps:

  1. Upload SharpHound data to BloodHound
  2. Set starting node (e.g., user wley)
  3. Explore Node Info tab and Outbound Control Rights
  4. Investigate First Degree Object Control and Transitive Object Control
  5. Use the Help menu for detailed attack information

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED

Master Penetration Test Reports: A Pro Guide

Learn how to craft effective penetration test reports that highlight vulnerabilities, prioritise risks, and drive actionable security improvements.

More

raiseChild.py: Active Directory Security Risks

Learn how raiseChild.py exploits Active Directory trust flaws for forest-wide attacks. Discover its risks and effective strategies to protect your…

More

Cross-Forest Trust Abuse: Kerberos Attack Guide

Learn how attackers exploit cross-forest trusts in Active Directory using Kerberoasting, password reuse, and SID history abuse. Defend your network…

More

Child-Parent AD Exploitation via Golden Tickets

Step-by-step guide to exploiting child-parent Active Directory (AD) trusts from Linux using Impacket tools. Learn cross-domain privilege escalation.

More