DACLs

Theory

DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor bloodhound.py) and Windows (using the SharpHound ingestor) systems.

Other tools like, Get-DomainObjectAcl and Add-DomainObjectAcl from Powersploit's Powerview, Get-Acl and Set-Acl official Powershell cmdlets, or Impacket's dacledit.py script (Python) can be used in order to manually inspect an object's DACL. ⚠️ At the time of writing, the Pull Request (#1291) offering that dacledit is still being reviewed and in active development. It has the following command-line arguments.

This page is about enumeration, for DACL-based attacks, please refer to this page.

Practice

PowerView

We can dump all Domain Object's ACL and convert it to a json file using Get-DomainObjectAcl from Powersploit's Powerview.

Get-DomainObjectAcl -ResolveGUIDs|select-object @{Name='SecurityIdentifierName';Expression={"$($_.SecurityIdentifier.Value|Convert-SidToName)"}},@{Name='SecurityIdentifierSID';Expression={"$($_.SecurityIdentifier.Value)"}},@{Name='ActiveDirectoryRights';Expression={"$($_.ActiveDirectoryRights)"}},ObjectDN,@{Name='ObjectName';Expression={"$($_.ObjectSID|Convert-SidToName)"}},ObjectSID|ConvertTo-Json -Compress|Out-File acls.json

Transfer the file to the attacking machine, then use the following command to convert the output file to UNIX format.

#Convert the file
dos2unix acls.json

One of the following commands can be used to format and read the output file.

# Print one ACE by line 
cat acls.json|jq '.[]| "\(.SecurityIdentifierName):\(.SecurityIdentifierSID) | Have: \(.ActiveDirectoryRights) | On: \(.ObjectName):\(.ObjectSID)"'

# Get all ACE of an object
cat acls.json|jq '.[] | select(.ObjectName=="CONTOSO\\user01")'

You may convert SIDs with the following WMIC command

wmic useraccount where sid='<SID>' get name, caption,FullName

We can enumerate interesting Domain Object's ACL using Get-DomainObjectAcl from Powersploit's Powerview.

# Get current domain SID and find interesting properties
$SID = Get-DomainSid ; Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "$SID-[\d]{4,10}" }

# Find interesting ACL's for current user or user
Find-InterestingDomainAcl -ResolveGUIDs  | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

# Get ACLs for User
Get-DomainObjectAcl -Identity it_admin -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID yourUserName) }


# Get ACLs for specific AD Object
Get-DomainObjectAcl -SamAccountName <SAM> -ResolveGUIDs
Get-DomainObjectAcl -Identity <Identity> -ResolveGUIDs


# Get ACLs for specified prefix
Get-DomainObjectAcl -ADSprefix 'CN=Administrators,CN=Users' -Verbose

# Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Users"} 
Find-InterestingDomainAcl -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"

# Get ACLs for select groups
Get-DomainObjectACL -identity "Domain Admins" -ResolveGUIDs | ?{ $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"

# Find Interesting ACLs from groups we are a member of
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "Standard-Users"}

# Find Interesting ACLs for groups a user is a member of (Recursive)
Get-DomainGroup -MemberIdentity "[User]" | Select-Object -ExpandProperty "SamAccountName" | ForEach-Object { Write-Host "Searching for interesting ACLs for $_" -ForegroundColor "Yellow"; Find-InterestingDomainAcl -ResolveGUIDs | Where-Object { $_.IdentityReferenceName -match $_ } }

# Get the ACLs associated with the specified LDAP path to be used for search
Get-DomainObjectAcl -ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=Security,DC=local" -ResolveGUIDs -Verbose

Dsacls.exe

It is possible to use a native windows binary (in addition to powershell cmdlet Get-Acl) to enumerate Active Directory object security persmissions. The binary of interest is dsacls.exe.

#Check "v4resk" user permissions against user's "pwned" AD object
dsacls.exe "cn=pwned,cn=users,dc=contoso,dc=local" | findstr "v4resk"

#Check "FullControl" permissions against user's "pwned" AD object
dsacls.exe "cn=pwned,cn=users,dc=contoso,dc=local" | findstr "full control"

#Check "v4resk" user permissions against group's "Domain Admin" AD object
dsacls.exe "cn=domain admins,cn=users,dc=contoso,dc=local" | findstr "v4resk"

SharpHound

DACL abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor bloodhound.py) and Windows (using the SharpHound ingestor) systems.

From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.

BloodHound.py is a Python ingestor for BloodHound. Using the ACL CollectionMethod, we just collect abusable permissions on objects in Active Directory

bloodhound.py --zip -c ACL -d $DOMAIN -u $USERNAME -p $PASSWORD -dc $DOMAIN_CONTROLLER

SharpHound (sources, builds) is designed targeting .Net 4.5. It can be used as a compiled executable.

It must be run from the context of a domain user, either directly through a logon or through another method such as runas (runas /netonly /user:$DOMAIN\$USER) (see Impersonation). Alternatively, SharpHound can be used with the LdapUsername and LdapPassword flags for that matter.

Using the ACL CollectionMethod in SharpHound, we just collect abusable permissions on objects in Active Directory

# SharpHound.exe
SharpHound.exe --collectionmethod ACL

#SharHound.ps1
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod ACL

Resources

Enumerating AD Object Permissions with dsaclsRed Team Notes

Last updated 1 year ago