Access Control List (ACL)
PowerView
Import-Module .\PowerView.ps1 # Import PowerView
Find-InterestingDomainAcl # find objects with potentially exploitable
# ACLs, such as GenericAll, WriteDACL, WriteOwner, or ForceChangePassword
# This will output alot of info, which is time consuming to go through.
## Targeted Enumeration
$sid = Convert-NameToSid rezydev # Finds the SID (Security Identifier) for the user 'rezydev'
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} -Verbose # Lists all ACLs in the domain and filters for those associated with 'rezydev' SID
Get-DomainGroup -Identity "HR Department" | select memberof # Lists the nested groups within the "HR Department" group
$groupsid = Convert-NameToSid "HR Department" # Converts the "HR Department" group name to its SID
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $groupsid} -Verbose # Finds ACLs associated with the "HR Department" group SID and outputs verbose details
LOTL
# Domain Users Wordlist
Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > users.txt # Retrieves all AD users' SamAccountNames and saves them to users.txt
foreach($line in [System.IO.File]::ReadLines("C:\Users\jethalal\Desktop\users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'REZYDEV\\jethalal'}} # Iterates through the user list and checks ACLs to see if 'jethalal' has access
Bloodhound
We can use queries to perform enumeration in BloodHound. The following page provides an installation and launch guide to get started with BloodHound, along with cheatsheets.