Active Directory ACL misconfiguration abuse
Active Directory is a complex ecosystem. There are hundreds of objects (i.e. groups, machines, users) in each domain. Each object has a list of Access Control Entries (ACEs). Each ACE defines:
- ACE Type - allow or deny.
- Security Principal - a user or group to which the permissions apply.
- Permissions - what actions the Security Principal is allowed or denied. They can include actions such as
read,write, delete and so on.
There is a lot of combinations of ACEs that create potential for abuse. E.g., when a non-Domain Admins user has the ability to edit the Domain Admins group, they can add themselves to that group. There are many such misconfigurations and we will not list them all here.
Read about many ways to abusing Active Directory ACLs/ACEs: Ired, Abusing Active Directory ACLs/ACEs
Automated Tooling
Of course, everything can be enumerated manually, but there are tools that make the process easier. For Example, BloodHound can find a lot of ACL misconfigurations in a domain by default and it's probably the best option out of the box. People create many scripts searching for certain misconfigurations, some of them below:
Windows (PowerView module):
Find-InterestingDomainAcl -ResolveGUIDsWindows (AD ACL Scanner module):
.\ADACLScan.ps1 -AccessType AllowManual Checking
It's also possible to perform manual checking of ACLs.
# List all identities which have GenericAll privileges on Object
Get-ObjectAcl -Identity $object_name | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
# Convert SID to object name
"$sid_1","$sid_2","$sid_3" | Convert-SidToName