ACL Domain Enumeration
Access Control List (ACL)
β’ It is a list of Access Control Entries (ACE) β ACE corresponds to individual permission or audits access. Who has permission and what can be done on an object?
β’ Two types:
β DACL β Defines the permissions trustees (a user or group) have on an object.
β SACL β Logs success and failure audit messages when an object is accessed.
β’ ACLs are vital to security architecture of AD.
PowerView
#Get the ACLs associated with the specified object
Get-ObjectAcl -SamAccountName student1 βResolveGUIDs
#Get the ACLs associated with the specified prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
#Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
#Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
#check for rights/permissions for the RDPUsers Group
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}
#Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
PowerShellADModule
#We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access
Last updated
Was this helpful?