ACL Domain Enumeration

Access Control List (ACL)

β€’ It is a list of Access Control Entries (ACE) – ACE corresponds to individual permission or audits access. Who has permission and what can be done on an object?

β€’ Two types:

– DACL – Defines the permissions trustees (a user or group) have on an object.

– SACL – Logs success and failure audit messages when an object is accessed.

β€’ ACLs are vital to security architecture of AD.

PowerView

#Get the ACLs associated with the specified object
Get-ObjectAcl -SamAccountName student1 –ResolveGUIDs


#Get the ACLs associated with the specified prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose


#Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose


#Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs


#check  for rights/permissions for the RDPUsers Group
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}


#Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"

PowerShellADModule

#We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access

Last updated

Was this helpful?