ACL Abuse
ACL BloodHound Abuse Hierarchy
Some AD object security permissions abusable with PowerView/SharpView:
ForceChangePassword abused with
Set-DomainUserPassword.AddMembers abused with
Add-DomainGroupMember.GenericAll abused with
Set-DomainUserPasswordorAdd-DomainGroupMember.GenericWrite abused with
Set-DomainObject.WriteOwner abused with
Set-DomainObjectOwner.WriteDACL abused with
Add-DomainObjectACL.AllExtendedRights abused with
Set-DomainUserPasswordorAdd-DomainGroupMember.
SDDL (Security Descriptor Definition Language)
At the lowest level, the Security Descriptor Definition Language is used in the nTSecurityDescriptor attribute (and on registry keys and NTFS files) to define the ACL. Fortunately, one does not need to know this level of detail in normal conditions.
But advanced administrators may want to write scripts or code that can correctly construct SDDL strings. Also the security templates (located at %systemroot%\security\templates) use SDDL if you manually edit them with a text editor instead of the MMC interface.manually editing these templates turns out to be the most effective way to manipulate them. It is most likely that you will simply need to be able to read a SDDL string.
Format of nTSecurityDescriptor string
Each nTSecurityDescriptor SDDL string is composed of 5 primary parts which correspond to the Header, DACL (D:), SACL (S:), primary group (G:)and owner (O:). Each of these parts is designated with the prefix noted in parenthesis. The header contains some record keeping information, along with 2 flags that designate whether the object is blocking inheritance for the SACL and DACL. The contents of both the primary group and owner parts are simply a single SID. The contents of both the SACL and DACL parts are a string with no fixed length. ACEs make up the contents of these strings. ACEs are enclosed within parenthesis, and there are 6 fields in each ACE. These 6 fields are separated by a semicolon delimiter. The fields are ACE type (allow/deny/audit), ACE flags (inheritance and audit settings), Permissions (list of incremental permissions), ObjectType (GUID), Inherited Object Type (GUID), and Trustee (SID).
ACE Type
The ACE type designates whether the trustee is allowed, denied or audited.
Value | Description |
βAβ | ACCESS ALLOWED |
βDβ | ACCESS DENIED |
βOAβ | OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S). |
βODβ | OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S). |
βAUβ | SYSTEM AUDIT |
βALβ | SYSTEM ALARM |
βOUβ | OBJECT SYSTEM AUDIT |
βOLβ | OBJECT SYSTEM ALARM |
ACE Flags
The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.
Value | Description |
βCIβ | CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. |
βOIβ | OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. |
βNPβ | NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE. |
βIOβ | INHERITANCE ONLY: ACE DOESNβT APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE. |
βIDβ | ACE IS INHERITED |
βSAβ | SUCCESSFUL ACCESS AUDIT |
βFAβ | FAILED ACCESS AUDIT |
Permissions
The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.
Value | Description | Hexadecimal Value | Binary Bits from 0 |
Generic access rights | |||
βGAβ | GENERIC ALL | 0x10000000 | Bit 28 |
βGRβ | GENERIC READ | 0x80000000 | Bit 31 |
βGWβ | GENERIC WRITE | 0x40000000 | Bit 30 |
βGXβ | GENERIC EXECUTE | 0x20000000 | Bit 29 |
Directory service access rights | |||
βRCβ | Read Permissions | 0x20000 | Bit 17 |
βSDβ | Delete | 0x10000 | Bit 16 |
βWDβ | Modify Permissions | 0x40000 | Bit 18 |
βWOβ | Modify Owner | 0x80000 | Bit 19 |
βRPβ | Read All Properties | 0x00000010 | Bit 4 |
βWPβ | Write All Properties | 0x00000020 | Bit 5 |
βCCβ | Create All Child Objects | 0x00000001 | Bit 0 |
βDCβ | Delete All Child Objects | 0x00000002 | Bit 1 |
βLCβ | List Contents | 0x00000004 | Bit 2 |
βSWβ | All Validated Writes | 0x00000008 | Bit 3 |
βLOβ | List Object | 0x00000080 | Bit 7 |
βDTβ | Delete Subtree | 0x00000040 | Bit 6 |
βCRβ | All Extended Rights | 0x00000100 | Bit 8 |
File access rights | |||
βFAβ | FILE ALL ACCESS | ||
βFRβ | FILE GENERIC READ | ||
βFWβ | FILE GENERIC WRITE | ||
βFXβ | FILE GENERIC EXECUTE | ||
Registry key access rights | |||
βKAβ | KEY ALL ACCESS | 0xF003F | |
βKRβ | KEY READ | 0x20019 | |
βKWβ | KEY WRITE | 0x20006 | |
βKXβ | KEY EXECUTE | 0x20019 | |
KEY CREATE SUB KEYS | 0x0004 | ||
KEY ENUMERATE SUB KEYS | 0x0008 | ||
KEY NOTIFY | 0x0010 | ||
KEY QUERY VALUE | 0x0001 | ||
KEY SET VALUE | 0x0002 |
Object Type and Inherited Object Type
The ObjectType is a GUID representing an object class, attribute, attribute set, or extended right. If present it limits the ACE to the object the GUID represents. The Inherited Object Type is a GUID representing an object class. If present it limits inheritance of the ACE to the child entries of only that object class.
Trustee
The Trustee is the SID of the user or group being given access (or denied or audited). Instead of a SID, there are several commonly used acronyms for well-known SIDs. The most common are listed in the table below, but you can review more at https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings:
Value | Description |
βAOβ | Account operators |
βRUβ | Alias to allow previous Windows 2000 |
βANβ | Anonymous logon |
βAUβ | Authenticated users |
βBAβ | Built-in administrators |
βBGβ | Built-in guests |
βBOβ | Backup operators |
βBUβ | Built-in users |
βCAβ | Certificate server administrators |
βCGβ | Creator group |
βCOβ | Creator owner |
βDAβ | Domain administrators |
βDCβ | Domain computers |
βDDβ | Domain controllers |
βDGβ | Domain guests |
βDUβ | Domain users |
βEAβ | Enterprise administrators |
βEDβ | Enterprise domain controllers |
βWDβ | Everyone |
βPAβ | Group Policy administrators |
βIUβ | Interactively logged-on user |
βLAβ | Local administrator |
βLGβ | Local guest |
βLSβ | Local service account |
βSYβ | Local system |
βNUβ | Network logon user |
βNOβ | Network configuration operators |
βNSβ | Network service account |
βPOβ | Printer operators |
βPSβ | Personal self |
βPUβ | Power users |
βRSβ | RAS servers group |
βRDβ | Terminal server users |
βREβ | Replicator |
βRCβ | Restricted code |
βSAβ | Schema administrators |
βSOβ | Server operators |
βSUβ | Service logon user |
Let's say that the ACE on object A applies to object B. This grants or denies object B access to object A with the specified access rights.
ACE example in SDDL format:
Hunt for ACLs
ActiveDirectory
Enumerate ACLs which snovvcrash user possesses against j.doe user:
Enumerate which users possess GenericAll or AllExtendedRights permission against j.doe user:
PowerView analog:
Find all users who can DCSync and convert their SIDs to names:
PowerView2
Search for interesting ACLs:
Check if the attacker "MEGACORP\sbauer" has GenericWrite permissions on the "jorden" user object:
PowerView3
Search for interesting ACLs:
Check if the attacker "MEGACORP\sbauer" (S-1-5-21-3167813660-1240564177-918740779-3102) has GenericWrite permissions on the "jorden" user object:
The -ResolveGUIDs switch shows ObjectType and InheritedObjectType properties in a human readable form (not in GUIDs).
PowerView 3.0 does not return IdentityReference property, which makes it less handy for this task (however, you may filter the output by the attacker's SID). To automatically convert SIDs to names we can use the following loop:
Last updated
