DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor ) and Windows (using the ingestor) systems.
Other tools like, Get-DomainObjectAcl and Add-DomainObjectAcl from 's , Get-Acl and Set-Acl official Powershell cmdlets, or 's dacledit.py script (Python) can be used in order to manually inspect an object's DACL. At the time of writing, the Pull Request () offering that dacledit is still being reviewed and in active development. It has the following command-line arguments.
This page is about enumeration, for DACL-based attacks, please refer to .
Practice
PowerView
We can dump all Domain Object's ACL and convert it to a json file using Get-DomainObjectAcl from 's .
Transfer the file to the attacking machine, then use the following command to convert the output file to UNIX format.
#Convert the file
dos2unix acls.json
One of the following commands can be used to format and read the output file.
# Print one ACE by line
cat acls.json|jq '.[]| "\(.SecurityIdentifierName):\(.SecurityIdentifierSID) | Have: \(.ActiveDirectoryRights) | On: \(.ObjectName):\(.ObjectSID)"'
# Get all ACE of an object
cat acls.json|jq '.[] | select(.ObjectName=="CONTOSO\\user01")'
You may convert SIDs with the following WMIC command
wmic useraccount where sid='<SID>' get name, caption,FullName
We can dump all DomainUsers that our current account has rights on using Get-DomainObjectAcl from 's .
# Get current domain SID and find interesting properties
$SID = Get-DomainSid ; Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "$SID-[\d]{4,10}" }
# Find interesting ACL's for current user or user
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
# Get ACLs for User
Get-DomainObjectAcl -Identity <TARGET_USERNAME> -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID <YOUR_USERNAME>) }
Get-ObjectAcl -Identity <TARGET_USERNAME> -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_}
# Get ACLs for specific AD Object
Get-DomainObjectAcl -SamAccountName <SAM> -ResolveGUIDs
Get-DomainObjectAcl -Identity <Identity> -ResolveGUIDs
# Get ACLs for specified prefix
Get-DomainObjectAcl -ADSprefix 'CN=Administrators,CN=Users' -Verbose
# Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Users"}
Find-InterestingDomainAcl -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"
# Get ACLs for select groups
Get-DomainObjectACL -identity "Domain Admins" -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"
# Find Interesting ACLs from groups we are a member of
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "Standard-Users"}
# Find Interesting ACLs for groups a user is a member of (Recursive)
Get-DomainGroup -MemberIdentity "[User]" | Select-Object -ExpandProperty "SamAccountName" | ForEach-Object { Write-Host "Searching for interesting ACLs for $_" -ForegroundColor "Yellow"; Find-InterestingDomainAcl -ResolveGUIDs | Where-Object { $_.IdentityReferenceName -match $_ } }
# Get the ACLs associated with the specified LDAP path to be used for search
Get-DomainObjectAcl -ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=Security,DC=local" -ResolveGUIDs -Verbose
Dsacls.exe
It is possible to use a native windows binary (in addition to powershell cmdlet Get-Acl) to enumerate Active Directory object security persmissions. The binary of interest is dsacls.exe.
#Check "v4resk" user permissions against user's "pwned" AD object
dsacls.exe "cn=pwned,cn=users,dc=contoso,dc=local" | findstr "v4resk"
#Check "FullControl" permissions against user's "pwned" AD object
dsacls.exe "cn=pwned,cn=users,dc=contoso,dc=local" | findstr "full control"
#Check "v4resk" user permissions against group's "Domain Admin" AD object
dsacls.exe "cn=domain admins,cn=users,dc=contoso,dc=local" | findstr "v4resk"
SharpHound
From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.
We can enumerate interesting Domain Object's ACL using Get-DomainObjectAcl from 's .
DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor ) and Windows (using the ingestor) systems.
is a Python ingestor for BloodHound. Using the ACL CollectionMethod, we just collect abusable permissions on objects in Active Directory
SharpHound (, ) is designed targeting .Net 4.5. It can be used as a compiled executable.
It must be run from the context of a domain user, either directly through a logon or through another method such as runas (runas /netonly /user:$DOMAIN\$USER) (see ). Alternatively, SharpHound can be used with the LdapUsername and LdapPassword flags for that matter.
