17. ACL Enumeration

Import PowerView module

Import-Module .\PowerView.ps1

Convert usernames and groups to SIDs

$userSIDs = @{
    "wley" = Convert-NameToSid wley
    "damundsen" = Convert-NameToSid damundsen
    "Information Technology" = Convert-NameToSid "Information Technology"
    "adunn" = Convert-NameToSid adunn
}

Find interesting domain ACLs (broad enumeration)

Find-InterestingDomainAcl

Get domain object ACLs for specific SIDs (targeted enumeration)

foreach ($key in $userSIDs.Keys) {
    Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $userSIDs[$key]} -Verbose
}

Reverse search GUID to retrieve corresponding name

$guid = "00299570-246d-11d0-a768-00aa006e0529"
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" \
    -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * | \
    Where-Object {$_.rightsGuid -eq $guid} | \
    Select-Object Name, DisplayName, DistinguishedName, rightsGuid | Format-List

Create a list of domain users

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName | Out-File -Encoding utf8 ad_users.txt

Manually enumerate ACLs using Get-Acl (foreach loop)

$users = Get-Content "C:\Users\htb-student\Desktop\ad_users.txt"
foreach ($user in $users) {
    Get-Acl "AD:\$(Get-ADUser $user)" | \
    Select-Object Path -ExpandProperty Access | \
    Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}
}

Get domain group information

Get-DomainGroup -Identity "Help Desk Level 1" | Select-Object -ExpandProperty MemberOf

Previous16.Access Control List (ACL) Abuse Primer Next18. ACL Abuse Tactics

Last updated 2 months ago