DACLs

Theory

DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor ) and Windows (using the ingestor) systems.

Other tools like, Get-DomainObjectAcl and Add-DomainObjectAcl from 's , Get-Acl and Set-Acl official Powershell cmdlets, or 's dacledit.py script (Python) can be used in order to manually inspect an object's DACL. At the time of writing, the Pull Request () offering that dacledit is still being reviewed and in active development. It has the following command-line arguments.

This page is about enumeration, for DACL-based attacks, please refer to .

Practice

PowerView

We can dump all Domain Object's ACL and convert it to a json file using Get-DomainObjectAcl from 's .

Get-DomainObjectAcl -ResolveGUIDs|select-object @{Name='SecurityIdentifierName';Expression={"$($_.SecurityIdentifier.Value|Convert-SidToName)"}},@{Name='SecurityIdentifierSID';Expression={"$($_.SecurityIdentifier.Value)"}},@{Name='ActiveDirectoryRights';Expression={"$($_.ActiveDirectoryRights)"}},ObjectDN,@{Name='ObjectName';Expression={"$($_.ObjectSID|Convert-SidToName)"}},ObjectSID|ConvertTo-Json -Compress|Out-File acls.json

Transfer the file to the attacking machine, then use the following command to convert the output file to UNIX format.

#Convert the file
dos2unix acls.json

One of the following commands can be used to format and read the output file.

# Print one ACE by line 
cat acls.json|jq '.[]| "\(.SecurityIdentifierName):\(.SecurityIdentifierSID) | Have: \(.ActiveDirectoryRights) | On: \(.ObjectName):\(.ObjectSID)"'

# Get all ACE of an object
cat acls.json|jq '.[] | select(.ObjectName=="CONTOSO\\user01")'

You may convert SIDs with the following WMIC command

wmic useraccount where sid='<SID>' get name, caption,FullName

We can dump all Domain Users that our current account has rights on using Get-DomainObjectAcl from 's .

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

We can dump all Domain Groups that our current account has rights on using Get-DomainObjectAcl

Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

We can also dump all Domain Computers that our current account has rights on using Get-DomainObjectAcl

Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

# Get current domain SID and find interesting properties
$SID = Get-DomainSid ; Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "$SID-[\d]{4,10}" }

# Find interesting ACL's for current user or user
Find-InterestingDomainAcl -ResolveGUIDs  | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

# Get ACLs for User
Get-DomainObjectAcl -Identity <TARGET_USERNAME>  -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID <YOUR_USERNAME>) }
Get-ObjectAcl -Identity <TARGET_USERNAME> -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_}

# Get ACLs for specific AD Object
Get-DomainObjectAcl -SamAccountName <SAM> -ResolveGUIDs
Get-DomainObjectAcl -Identity <Identity> -ResolveGUIDs

# Get ACLs for specified prefix
Get-DomainObjectAcl -ADSprefix 'CN=Administrators,CN=Users' -Verbose

# Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Users"} 
Find-InterestingDomainAcl -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"

# Get ACLs for select groups
Get-DomainObjectACL -identity "Domain Admins" -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"

# Find Interesting ACLs from groups we are a member of
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "Standard-Users"}

# Find Interesting ACLs for groups a user is a member of (Recursive)
Get-DomainGroup -MemberIdentity "[User]" | Select-Object -ExpandProperty "SamAccountName" | ForEach-Object { Write-Host "Searching for interesting ACLs for $_" -ForegroundColor "Yellow"; Find-InterestingDomainAcl -ResolveGUIDs | Where-Object { $_.IdentityReferenceName -match $_ } }

# Get the ACLs associated with the specified LDAP path to be used for search
Get-DomainObjectAcl -ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=Security,DC=local" -ResolveGUIDs -Verbose

Dsacls.exe

It is possible to use a native windows binary (in addition to powershell cmdlet Get-Acl) to enumerate Active Directory object security persmissions. The binary of interest is dsacls.exe.

#Check "v4resk" user permissions against user's "pwned" AD object
dsacls.exe "cn=pwned,cn=users,dc=contoso,dc=local" | findstr "v4resk"

#Check "FullControl" permissions against user's "pwned" AD object
dsacls.exe "cn=pwned,cn=users,dc=contoso,dc=local" | findstr "full control"

#Check "v4resk" user permissions against group's "Domain Admin" AD object
dsacls.exe "cn=domain admins,cn=users,dc=contoso,dc=local" | findstr "v4resk"

SharpHound

From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.

bloodhound.py --zip -c ACL -d $DOMAIN -u $USERNAME -p $PASSWORD -dc $DOMAIN_CONTROLLER

Using the ACL CollectionMethod in SharpHound, we just collect abusable permissions on objects in Active Directory

# SharpHound.exe
SharpHound.exe --collectionmethod ACL

#SharHound.ps1
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod ACL

Resources

Last updated 6 months ago

Was this helpful?