Access controls


Access privileges for resources in Active Directory Domain Services are usually granted through the use of an Access Control Entry (ACE). Access Control Entries describe the allowed and denied permissions for a principal in Active Directory against a securable object (user, group, computer, container, organization unit (OU), GPO and so on)
DACLs (Active Directory Discretionary Access Control Lists) are lists made of ACEs (Access Control Entries) that identify the users and groups that are allowed or denied access on an object.
When misconfigured, ACEs can be abused to operate lateral movement or privilege escalation within an AD domain.


If an object's (called objectA) DACL features an ACE stating that another object (called objectB) has a specific right (e.g. GenericAll) over it (i.e. over objectA), attackers need to be in control of objectB to take control of objectA. The following abuses can only be carried out when running commands as the user mentioned in the ACE (objectB) (see impersonation techniques).


ACE abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor and Windows (using the SharpHound ingestor) systems.


In order to navigate the notes, testers can use the mindmap below.
All of the aforementioned attacks (red blocks) are detailed in the child notes, except:


ActiveDirectoryRights Enum (System.DirectoryServices)
BloodHound 1.3 โ€“ The ACL Attack Path Update
SelfADSI : Active Directory Permissions : Security Descriptors
Scanning for Active Directory Privileges & Privileged Accounts
Active Directory Security
Last modified 1mo ago
Copy link
Edit on GitHub