DACLs
Last updated
Was this helpful?
Last updated
Was this helpful?
DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor ) and Windows (using the ingestor) systems.
Other tools like, Get-DomainObjectAcl
and Add-DomainObjectAcl
from 's , Get-Acl
and Set-Acl
official Powershell cmdlets, or 's dacledit.py script (Python) can be used in order to manually inspect an object's DACL. At the time of writing, the Pull Request () offering that dacledit is still being reviewed and in active development. It has the following command-line arguments.
This page is about enumeration, for DACL-based attacks, please refer to .
We can dump all Domain Object's ACL and convert it to a json file using Get-DomainObjectAcl
from 's .
Transfer the file to the attacking machine, then use the following command to convert the output file to UNIX format.
One of the following commands can be used to format and read the output file.
It is possible to use a native windows binary (in addition to powershell cmdlet Get-Acl
) to enumerate Active Directory object security persmissions. The binary of interest is dsacls.exe
.
From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.
We can enumerate interesting Domain Object's ACL using Get-DomainObjectAcl
from 's .
DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor ) and Windows (using the ingestor) systems.
is a Python ingestor for BloodHound. Using the ACL CollectionMethod, we just collect abusable permissions on objects in Active Directory
SharpHound (, ) is designed targeting .Net 4.5. It can be used as a compiled executable.
It must be run from the context of a domain user, either directly through a logon or through another method such as runas (runas /netonly /user:$DOMAIN\$USER
) (see ). Alternatively, SharpHound can be used with the LdapUsername
and LdapPassword
flags for that matter.