> For the complete documentation index, see [llms.txt](https://notes.morph3.blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.morph3.blog/abusing-active-directory-acls.md).

# Abusing Active Directory ACLs

Get which ACLs are assigned over user alex.morph

```
(Get-ACL "AD:$((Get-ADUser -Identity 'alex.morph').distinguishedname)").access | select ActiveDirectoryRights,IdentityReference
```

```
Get-ObjectAcl -Identity alex.morph -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_}

```

Which ACLs do we have over domain groups,

```
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
```

Same command above but for domain users,

```
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
```
