Access controls

Theory

Access privileges for resources in Active Directory Domain Services are usually granted through the use of an Access Control Entry (ACE). Access Control Entries describe the allowed and denied permissions for a principal in Active Directory against a securable object (user, group, computer, container, organization unit (OU), GPO and so on)
DACLs (Active Directory Discretionary Access Control Lists) are lists made of ACEs (Access Control Entries) that identify the users and groups that are allowed or denied access on an object.
When misconfigured, ACEs can be abused to operate lateral movement or privilege escalation within an AD domain.

Practice

If an object's (called objectA) DACL features an ACE stating that another object (called objectB) has a specific right (e.g. GenericAll) over it (i.e. over objectA), attackers need to be in control of objectB to take control of objectA. The following abuses can only be carried out when running commands as the user mentioned in the ACE (objectB) (see impersonation techniques).

Recon

ACE abuse potential paths can be identified by BloodHound from UNIX-like (using the Python ingestor bloodhound.py) and Windows (using the SharpHound ingestor) systems.

Abuse

In order to navigate the notes, testers can use the mindmap below.
All of the aforementioned attacks (red blocks) are detailed in the child notes, except:
Self-attacks

Resources

ActiveDirectoryRights Enum (System.DirectoryServices)
docsmsft
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#genericall-on-user
ired.team
BloodHound 1.3 โ€“ The ACL Attack Path Update
wald0.com
SelfADSI : Active Directory Permissions : Security Descriptors
Scanning for Active Directory Privileges & Privileged Accounts
Active Directory Security
โ€‹
โ€‹
Last modified 1mo ago
Copy link
Edit on GitHub