{"id":189,"date":"2025-01-12T00:00:00","date_gmt":"2025-01-11T23:00:00","guid":{"rendered":"https:\/\/kosokoking.com\/?p=189"},"modified":"2025-01-07T21:10:24","modified_gmt":"2025-01-07T20:10:24","slug":"enumerating-acls-in-active-directory","status":"publish","type":"post","link":"https:\/\/kosokoking.com\/index.php\/security\/enumerating-acls-in-active-directory\/","title":{"rendered":"Enumerating ACLs in Active Directory"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">This playbook covers the process of enumerating Access Control Lists (ACLs) in Active Directory environments. ACL enumeration is crucial for identifying potential attack paths and understanding the permissions structure within a domain. The importance of understanding the enumerations of ACLs cannot be over emphasised. <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Key Concepts:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ACL<\/strong>: Access Control List<\/li>\n\n\n\n<li><strong>ACE<\/strong>: Access Control Entry<\/li>\n\n\n\n<li><strong>SID<\/strong>: Security Identifier<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\"><strong>Enumerating ACLs with PowerView<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PowerView is a powerful tool for ACL enumeration in Active Directory environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Summary<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use PowerView&#8217;s Find-InterestingDomainAcl function for initial enumeration<\/li>\n\n\n\n<li>Perform targeted enumeration using Get-DomainObjectACL<\/li>\n\n\n\n<li>Utilize the -ResolveGUIDs flag for human-readable output<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Steps:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Import PowerView module<\/li>\n\n\n\n<li>Convert target username to SID<\/li>\n\n\n\n<li>Use Get-DomainObjectACL with the target SID<\/li>\n\n\n\n<li>Analyze the output for interesting rights<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Example:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p class=\"wp-block-paragraph\"><code>Import-Module .\\PowerView.ps1<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>$sid = Convert-NameToSid wley<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}<\/code><\/p>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\"><strong>Using Built-in PowerShell Cmdlets<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When PowerView is not available, built-in PowerShell cmdlets can be used for ACL enumeration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Summary<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Get-ADUser and Get-Acl cmdlets<\/li>\n\n\n\n<li>Create a list of domain users<\/li>\n\n\n\n<li>Iterate through users and check for specific access rights<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Steps:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Create a list of domain users<\/li>\n\n\n\n<li>Use a foreach loop to iterate through users<\/li>\n\n\n\n<li>Use Get-Acl to retrieve ACL information<\/li>\n\n\n\n<li>Filter results for specific users or rights<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Example:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>foreach($line in [System.IO.File]::ReadLines(\"C:\\Users\\htb-student\\Desktop\\ad_users.txt\")) {get-acl \"AD:\\$(Get-ADUser $line)\" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\"><strong>Enumerating ACLs with BloodHound<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">BloodHound provides a graphical interface for visualizing and analyzing ACLs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Summary<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Upload data gathered with SharpHound ingestor<\/li>\n\n\n\n<li>Set starting node and explore Outbound Control Rights<\/li>\n\n\n\n<li>Utilize the Help menu for attack guidance and OPSEC considerations<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Steps:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Upload SharpHound data to BloodHound<\/li>\n\n\n\n<li>Set starting node (e.g., user wley)<\/li>\n\n\n\n<li>Explore Node Info tab and Outbound Control Rights<\/li>\n\n\n\n<li>Investigate First Degree Object Control and Transitive Object Control<\/li>\n\n\n\n<li>Use the Help menu for detailed attack information<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Additional Resources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/tree\/master\/Recon\" target=\"_blank\" rel=\"noreferrer noopener\">PowerView GitHub Repository<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/bloodhound.readthedocs.io\/en\/latest\/\" target=\"_blank\" rel=\"noreferrer noopener\">BloodHound Official Documentation<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Discover how to enumerate Access Control Lists (ACLs) in Active Directory using PowerView and BloodHound. Learn how to  leverage ACL misconfigurations.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[89,87,113,51,21,88,14],"class_list":["post-189","post","type-post","status-publish","format-standard","hentry","category-security","tag-accesscontrol","tag-acl","tag-acls","tag-cybersecurity","tag-functionality","tag-networksecurity","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/comments?post=189"}],"version-history":[{"count":1,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions"}],"predecessor-version":[{"id":190,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions\/190"}],"wp:attachment":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/media?parent=189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/categories?post=189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/tags?post=189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}