ACLs

Last updated 6 months ago

ACLs

#powershell

Commonly knows as ACL based attacks.
Some frequently misconfigured ACEs are:
- ForceChangePassword: Ability to set user's current password without knowin current password.
- AddMembers: Ability to add users, groups to target group.
- GenericAll: Complete controll over object, including changing password, register SPN, or adding objects to user groups.
- GenericWrite: Ability to update any non-protected parameters of our target object. For example, update ScriptPath parameter, which is the script that runs every time the user logs in.
- WriteOwner: Ability to update the owner of the target, making ourselves the owner of the target, allowing us to gain additional control over the target
- WriteDACL: Ability to write additional ACEs to the target object's DACL. For example, we can add additional ACEs to our user that grants our account full control over the target object
- AllExtendedRights: Ability to perform any action associated with the extended AD rights against the target host.
These ACE misconfiguration can be easily identified by Bloodhound/Sharphound.
These ACE misconfiguration can be abused by PowerSploit or with AD-RSAT module in powershell.

Common Misconfigurations

Change the user password: If you have User-Force-Change-Password or GenericAll rights over an user object, you can take over the account by setting a new password.
Make user Kerberoasteable: If you can write an SPN in the ServicePrincipalName property of an user then you can perform the attack against that account and try to crack its password. To write an SPN requires you to have the validated write with WritePropertyExtended, or GenericWrite or GenericAll.
Execute malicious script: If you can modify the ScriptPath property of an user, with WriteProperty, GenericWrite or GenericAll, then you can set a malicious file that is going to be execute the next time that the user logs on. You can use . You may also require to enable the SCRIPT flag of the UserAccountControl property.
Add users to group: If you can modify the members property of a group, with WriteProperty, GenericWrite or GenericAll, then you can add any member to the group. If you have the right for Self-Membership, you can add your current user to that group.
: If you can modify the msDS-AllowedToActOnBehalfOfOtherIdentity of a computer account, with WriteProperty, GenericWrite or GenericAll, then you enable Kerberos Resource Based Constrained Delegation for another user to the computer services and finally get access as admin to the computer.
: If you can read the ms-Mcs-AdmPwd computer confidential property used by LAPS to store the machine local administrators password, then you could read it an access as local admin to the machine. You can identify the use of LAPS in a machine by checking if the ms-Mcs-AdmPwdExpirationTime property exists in its computer account.
: If you have the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights over the domain object, then you can perform a DCSync attack to dump the database contents.
GPO abuse: If you can modify the GPC-File-Sys-Path of a with WriteProperty, GenericWrite or GenericAll, then you can modify the GPO and perform code execution in the computers affected by the GPO.
Modify ACLs: If you have the WriteDacl right (or GenericAll), then you can create ACE to give any right in the object and perform some of the previous attack. Also, if you have the WriteOwner right, since the owner object has implicit WriteDacl right, you can change the object owner to your user and then modify ACLs.

AddMembers

Add-ADGroupMember "IT Support" -Members "<username>"

ForceChangePassword

$password = ConverTo-SecureString "passw0rd" -AsPlainText -Force
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $password

Last updated 6 months ago

#powershell

Commonly knows as ACL based attacks.
Some frequently misconfigured ACEs are:
- ForceChangePassword: Ability to set user's current password without knowin current password.
- AddMembers: Ability to add users, groups to target group.
- GenericAll: Complete controll over object, including changing password, register SPN, or adding objects to user groups.
- GenericWrite: Ability to update any non-protected parameters of our target object. For example, update ScriptPath parameter, which is the script that runs every time the user logs in.
- WriteOwner: Ability to update the owner of the target, making ourselves the owner of the target, allowing us to gain additional control over the target
- WriteDACL: Ability to write additional ACEs to the target object's DACL. For example, we can add additional ACEs to our user that grants our account full control over the target object
- AllExtendedRights: Ability to perform any action associated with the extended AD rights against the target host.
These ACE misconfiguration can be easily identified by Bloodhound/Sharphound.
These ACE misconfiguration can be abused by PowerSploit or with AD-RSAT module in powershell.

Common Misconfigurations

Change the user password: If you have User-Force-Change-Password or GenericAll rights over an user object, you can take over the account by setting a new password.
Make user Kerberoasteable: If you can write an SPN in the ServicePrincipalName property of an user then you can perform the attack against that account and try to crack its password. To write an SPN requires you to have the validated write with WritePropertyExtended, or GenericWrite or GenericAll.
Execute malicious script: If you can modify the ScriptPath property of an user, with WriteProperty, GenericWrite or GenericAll, then you can set a malicious file that is going to be execute the next time that the user logs on. You can use . You may also require to enable the SCRIPT flag of the UserAccountControl property.
Add users to group: If you can modify the members property of a group, with WriteProperty, GenericWrite or GenericAll, then you can add any member to the group. If you have the right for Self-Membership, you can add your current user to that group.
: If you can modify the msDS-AllowedToActOnBehalfOfOtherIdentity of a computer account, with WriteProperty, GenericWrite or GenericAll, then you enable Kerberos Resource Based Constrained Delegation for another user to the computer services and finally get access as admin to the computer.
: If you can read the ms-Mcs-AdmPwd computer confidential property used by LAPS to store the machine local administrators password, then you could read it an access as local admin to the machine. You can identify the use of LAPS in a machine by checking if the ms-Mcs-AdmPwdExpirationTime property exists in its computer account.
: If you have the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights over the domain object, then you can perform a DCSync attack to dump the database contents.
GPO abuse: If you can modify the GPC-File-Sys-Path of a with WriteProperty, GenericWrite or GenericAll, then you can modify the GPO and perform code execution in the computers affected by the GPO.
Modify ACLs: If you have the WriteDacl right (or GenericAll), then you can create ACE to give any right in the object and perform some of the previous attack. Also, if you have the WriteOwner right, since the owner object has implicit WriteDacl right, you can change the object owner to your user and then modify ACLs.

AddMembers

Add-ADGroupMember "IT Support" -Members "<username>"

ForceChangePassword

$password = ConverTo-SecureString "passw0rd" -AsPlainText -Force
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $password