Access privileges for resources in Active Directory Domain Services are usually granted through the use of an Access Control Entry (ACE). Access Control Entries describe the allowed and denied permissions for a principal in Active Directory against a securable object (user, group, computer, container, organization unit (OU), GPO and so on)
DACLs (Active Directory Discretionary Access Control Lists) are lists made of ACEs (Access Control Entries).
When misconfigured, ACEs can be abused to operate lateral movement or privilege escalation within an AD domain.
The attacker needs to be in control of the object the ACE is set on to abuse it and possibly gain control over what this ACE applies to. The following abuses can only be carried out when running commands as the user the ACE is set on (see impersonation techniques).
In order to navigate the notes, testers can use the mindmap below.
All of the aforementioned attacks (red blocks) are detailed in the child notes, except:
Shadow Credentials: see ADDS > Movement > Kerberos > Shadow Credentials
Kerberos RBCD: see ADDS > Movement > Kerberos > Kerberos Delegations > RBCD
GPO abuses: see ADDS > Movement > GPOs
DCSync : see ADDS > Movement > Credential > Dumping > DCSync