# Access Control Lists All objects within a domain are subject to the permissions given to them. The permissions can be manually given, inherited, or defined by the groups each object is in. Red Teamers and Penetration Testers should take care to notice what sorts of permissions each object has, the relationship different objects have with one another, and the privileges the objects themselves have in order to draw out a more clear attack path. In general, ACL's are lists of Access Control Entries (ACE) which are composed of two types: * DACL - These define the permissions a user or group have on an object * SACL - Success and failure audits when an object is accessed All of these individual entries are grouped into an ACL for each object. These ACLs are written in the Security Descriptor Definition Language (SDDL) but are easily viewed and changed within the Windows GUI (see the picture below). These ACL's describe what permissions objects have over one another and their access to other resources within the network. ![](https://2338305779-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FoFeKgv7dJ2p9N50bTG5J%2Fuploads%2FS6KxCg27Rya0YvKhk50w%2FACL.png?alt=media\&token=38684370-65d9-48db-a76d-926a42d2064d) Attackers should look for permissions amongst the relationships that will give them an opportunity to increase their privileges within the network. The following permissions provide excellent opportunities to increase your privileges if the user/object you wish to attack has more privileges than the current position you are in\[1]: * Replicating Directory Changes All * Replicating Directory Changes (DS-Replication-Get-Changes) * GenericAll * GenericWrite * WriteDACL * Self * WriteOwner * WriteProperty * CreateChild * DeleteChild * Extended Right ## Enumeration Techniques ### Getting ACLs for a Specified Object ```powershell Get-ObjectAcl -SamAccountName -ResolveGUIDs # PowerView ``` Using pywerview\.py: ```bash python pywerview.py get-objectacl -w bizcorp.local -u -p -t --resolve-guids --sam-account-name [--dc-ip ] ``` ### Get ACLs with a Specified Prefix ```powershell Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose # PowerView (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=bizcorp,DC=local').Access # AD Module ``` ### Get ACLs for a Specified LDAP Path ```powershell Get-ObjectAcl -ADSpath "LDAP://CN=DomainAdmins,CN=Users,DC=bizcorp,DC=local" -ResolveGUIDs -Verbose # PowerView ``` Using pywerview\.py ```bash python pywerview.py get-objectacl -w bizcorp.local -u -p -t --resolve-guids [--dc-ip ] -a "LDAP://CN=DomainAdmins,CN=Users,DC=bizcorp,DC=local" ``` ### Finding Interesting ACE's ```powershell Invoke-ACLScanner -ResolveGUIDs # PowerView ``` ### To Check Permissions for a User/Group Over Other Objects ```powershell Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match ""} # PowerView ``` ## References: \[1]: