Enumerating ACLs in Active Directory

This playbook covers the process of enumerating Access Control Lists (ACLs) in Active Directory environments. ACL enumeration is crucial for identifying potential attack paths and understanding the permissions structure within a domain. The importance of understanding the enumerations of ACLs cannot be over emphasised.

Key Concepts:

  • ACL: Access Control List
  • ACE: Access Control Entry
  • SID: Security Identifier

Enumerating ACLs with PowerView

PowerView is a powerful tool for ACL enumeration in Active Directory environments.

Summary

  • Use PowerView’s Find-InterestingDomainAcl function for initial enumeration
  • Perform targeted enumeration using Get-DomainObjectACL
  • Utilize the -ResolveGUIDs flag for human-readable output

Steps:

  1. Import PowerView module
  2. Convert target username to SID
  3. Use Get-DomainObjectACL with the target SID
  4. Analyze the output for interesting rights

Example:

Import-Module .\PowerView.ps1

$sid = Convert-NameToSid wley

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Using Built-in PowerShell Cmdlets

When PowerView is not available, built-in PowerShell cmdlets can be used for ACL enumeration.

Summary

  • Use Get-ADUser and Get-Acl cmdlets
  • Create a list of domain users
  • Iterate through users and check for specific access rights

Steps:

  1. Create a list of domain users
  2. Use a foreach loop to iterate through users
  3. Use Get-Acl to retrieve ACL information
  4. Filter results for specific users or rights

Example:

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\wley'}}

Enumerating ACLs with BloodHound

BloodHound provides a graphical interface for visualizing and analyzing ACLs.

Summary

  • Upload data gathered with SharpHound ingestor
  • Set starting node and explore Outbound Control Rights
  • Utilize the Help menu for attack guidance and OPSEC considerations

Steps:

  1. Upload SharpHound data to BloodHound
  2. Set starting node (e.g., user wley)
  3. Explore Node Info tab and Outbound Control Rights
  4. Investigate First Degree Object Control and Transitive Object Control
  5. Use the Help menu for detailed attack information

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED

Critical CVE-2025-1316 IoT Security Flaw Exposed

Discover CVE-2025-1316, a critical IoT vulnerability affecting Edimax cameras, exploited by botnets. Learn mitigation strategies to secure your devices today.

More

ESXicape: VMware Hypervisor Security Threat

Discover ESXicape, the exploit chain targeting VMware hypervisors. Learn its vulnerabilities, real-world impact, and how to secure virtual environments.

More

TryHackMe SAL1: Hands-On SOC Analyst Certification

Master real-world SOC skills with TryHackMe's SAL1 certification. Hands-on training, Splunk proficiency, and industry recognition for cybersecurity careers.

More

BadBox Malware: Million Android Devices at Risk

BadBox infects Android devices with pre-installed backdoors, enabling ad fraud and proxy services. Learn about the threat and how authorities…

More