ACL/ACE Abuse
ACL/ACE Abuse
Generic All
This is also known as full control. This permission allows the trustee to manipulate the target object however they wish.
https://bloodhound.specterops.io/resources/edges/generic-all
Generic All on User
ForceChangePassword
The GenericAll permission grants <user/attacker> the ability to change the password of the user target without knowing their current password. This is equivalent to the "ForceChangePassword" edge in BloodHound.
Generic All on Group
Full control of a group allows you to directly modify group membership of the group.
There are at least two ways to execute this attack. The first and most obvious is by using the built-in net.exe binary in Windows:
net group "Domain Admins" harmj0y /add /domain
See the opsec considerations tab for why this may be a bad idea. The second, and highly recommended method, is by using the Add-DomainGroupMember function in PowerView. This function is superior to using the net.exe binary in several ways. For instance, you can supply alternate credentials, instead of needing to run a process as or logon as the user with the AddMember permission. Additionally, you have much safer execution options than you do with spawning net.exe (see the opsec tab).powerview
bloodyAD
Generic Write
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user.
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash. The cleanup is done automatically as well.
The recovered hash can be cracked offline using the tool of your choice.
On User
With GenericWrite over a user, you can write to the “msds-KeyCredentialLink” attribute. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using Kerberos PKINIT. See more information under the AddKeyCredentialLink edge.
Alternatively, you can write to the “servicePrincipalNames” attribute and perform a targeted kerberoasting attack. See the abuse section under the WriteSPN edge for more information.
https://bloodhound.specterops.io/resources/edges/generic-write
WriteOwner
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.
To change the ownership of the object, you may use Impacket's owneredit example script (cf. "grant ownership" reference for the exact link).
To abuse ownership of a user object, you may grant yourself the GenericAll permission.
Impacket's dacledit can be used for that purpose (cf. "grant rights" reference for the link).
Cleanup of the added ACL can be performed later on with the same tool:
WriteOwner on Group
Add member on that group
Targeted Kerberoast
https://github.com/ShutdownRepo/targetedKerberoast
Force Change Password
Use samba's net tool to change the user's password. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line. The new password will be prompted if omitted from the command line.
It can also be done with pass-the-hash using pth-toolkit's net tool. If the LM hash is not known, use 'ffffffffffffffffffffffffffffffff'.
Shadow Credentials (msDS-KeyCredentialLink)
get tgt (ccace)
extract NTLHash
From pfx extract ccache e NTLM HASH
set
ccache
extract NTLHash
https://github.com/ShutdownRepo/pywhisker
DS-Replication-Get-Changes and DS-Replication-Get-Changes-All
Can you perform DCSync
WriteDacl
With write access to the target object’s DACL, you can grant yourself any privilege you want on the object.
With the ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish
Groups
With WriteDACL over a group, grant yourself the right to add members to the group:
See the abuse info for AddMembers edge for more information about execution the attack from there.
Users
With WriteDACL over a user, grant yourself full control of the user object:
See the abuse info for GenericAll over a user for more information about how to continue from there.
Computers
With WriteDACL over a computer object, grant yourself full control of the computer object:
See the abuse info for GenericAll over a computer for more information about how to continue from there.
Domains
With WriteDACL against a domain object, grant yourself the ability to DCSync:
Then perform the DCSync attack.
GPS
With WriteDACL over a GPO, grant yourself full control of the GPO:
Add-DomainObjectAcl -TargetIdentity TestGPO -Rights All
Then edit the GPO to take over an object the GPO applies to.
OUs
With WriteDACL over an OU, grant yourself full control of the OU:
Add-DomainObjectAcl -TargetIdentity (OU GUID) -Rights All
Then add a new ACE to the OU that inherits down to child objects to take over those child objects.
https://www.hackingarticles.in/abusing-ad-dacl-writedacl/
https://bloodhound.specterops.io/resources/edges/write-dacl
Resources
https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/blob/master/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces.md
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
https://m8sec.medium.com/active-directory-acl-abuse-with-kali-linux-7434a27dd938
https://www.thehacker.recipes/ad/movement/dacl/
Last updated