Access Control Entries (ACEs)

Theory

Access privileges for resources in Active Directory Domain Services are usually granted through the use of an Access Control Entry (ACE). Access Control Entries describe the allowed and denied permissions for a principal in Active Directory against a securable object (user, group, computer, container, organization unit (OU), GPO and so on)

DACLs (Active Directory Discretionary Access Control Lists) are lists made of ACEs (Access Control Entries).

When misconfigured, ACEs can be abused to operate lateral movement or privilege escalation within an AD domain.

Practice

Requirements

The attacker needs to be in control of the object the ACE is set on to abuse it and possibly gain control over what this ACE applies to. The following abuses can only be carried out when running commands as the user the ACE is set on (see impersonation techniques).

Windows or UNIX ?

All abuses below can be carried out on a Windows system that doesn't even have to be joined to the domain. On UNIX-like systems, a few of the following abuses can be carried out with tools like aclpwn (I often have issues with this one) and ntlmrelayx. Abusing ACEs from a Windows machine is usually easier though.

Exploitation paths

In order to navigate the notes, testers can use the mindmap below.

All of the aforementioned attacks (red blocks) are detailed in the child notes, except:

Resources