DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor bloodhound.py) and Windows (using the SharpHound ingestor) systems.
Other tools like, Get-DomainObjectAcl and Add-DomainObjectAcl from Powersploit's Powerview, Get-Acl and Set-Acl official Powershell cmdlets, or Impacket's dacledit.py script (Python) can be used in order to manually inspect an object's DACL. ⚠️At the time of writing, the Pull Request (#1291) offering that dacledit is still being reviewed and in active development. It has the following command-line arguments.
This page is about enumeration, for DACL-based attacks, please refer to this page.
Practice
PowerView
We can dump all Domain Object's ACL and convert it to a json file using Get-DomainObjectAcl from Powersploit's Powerview.
Transfer the file to the attacking machine, then use the following command to convert the output file to UNIX format.
#Convert the filedos2unixacls.json
One of the following commands can be used to format and read the output file.
# Print one ACE by line cat acls.json|jq '.[]| "\(.SecurityIdentifierName):\(.SecurityIdentifierSID) | Have: \(.ActiveDirectoryRights) | On: \(.ObjectName):\(.ObjectSID)"'
# Get all ACE of an objectcatacls.json|jq'.[] | select(.ObjectName=="CONTOSO\\user01")'
You may convert SIDs with the following WMIC command
wmic useraccount where sid='<SID>' get name, caption,FullName
We can enumerate interesting Domain Object's ACL using Get-DomainObjectAcl from Powersploit's Powerview.
# Get current domain SID and find interesting properties$SID = Get-DomainSid ; Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "$SID-[\d]{4,10}" }
# Find interesting ACL's for current user or userFind-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
# Get ACLs for UserGet-DomainObjectAcl-Identity it_admin -ResolveGUIDs ? { $_.SecurityIdentifier-Match$(ConvertTo-SID yourUserName) }# Get ACLs for specific AD ObjectGet-DomainObjectAcl-SamAccountName <SAM>-ResolveGUIDsGet-DomainObjectAcl-Identity <Identity>-ResolveGUIDs# Get ACLs for specified prefixGet-DomainObjectAcl-ADSprefix 'CN=Administrators,CN=Users'-Verbose# Search for interesting ACEsFind-InterestingDomainAcl-ResolveGUIDsFind-InterestingDomainAcl-ResolveGUIDs |?{$_.IdentityReference-match"Domain Users"} Find-InterestingDomainAcl -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"
# Get ACLs for select groupsGet-DomainObjectACL -identity "Domain Admins" -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"
# Find Interesting ACLs from groups we are a member ofFind-InterestingDomainAcl-ResolveGUIDs |?{$_.IdentityReferenceName-match"Standard-Users"}# Find Interesting ACLs for groups a user is a member of (Recursive)Get-DomainGroup -MemberIdentity "[User]" | Select-Object -ExpandProperty "SamAccountName" | ForEach-Object { Write-Host "Searching for interesting ACLs for $_" -ForegroundColor "Yellow"; Find-InterestingDomainAcl -ResolveGUIDs | Where-Object { $_.IdentityReferenceName -match $_ } }
# Get the ACLs associated with the specified LDAP path to be used for searchGet-DomainObjectAcl-ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=Security,DC=local"-ResolveGUIDs -Verbose
Dsacls.exe
It is possible to use a native windows binary (in addition to powershell cmdlet Get-Acl) to enumerate Active Directory object security persmissions. The binary of interest is dsacls.exe.
#Check "v4resk" user permissions against user's "pwned" AD objectdsacls.exe"cn=pwned,cn=users,dc=contoso,dc=local"| findstr "v4resk"#Check "FullControl" permissions against user's "pwned" AD objectdsacls.exe"cn=pwned,cn=users,dc=contoso,dc=local"| findstr "full control"#Check "v4resk" user permissions against group's "Domain Admin" AD objectdsacls.exe"cn=domain admins,cn=users,dc=contoso,dc=local"| findstr "v4resk"
SharpHound
DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor bloodhound.py) and Windows (using the SharpHound ingestor) systems.
From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.
BloodHound.py is a Python ingestor for BloodHound. Using the ACL CollectionMethod, we just collect abusable permissions on objects in Active Directory
SharpHound (sources, builds) is designed targeting .Net 4.5. It can be used as a compiled executable.
It must be run from the context of a domain user, either directly through a logon or through another method such as runas (runas /netonly /user:$DOMAIN\$USER) (see Impersonation). Alternatively, SharpHound can be used with the LdapUsername and LdapPassword flags for that matter.
Using the ACL CollectionMethod in SharpHound, we just collect abusable permissions on objects in Active Directory