πACL Enumeration
π Overview
Access Control List (ACL) enumeration is a critical phase in Active Directory penetration testing that reveals privilege escalation paths through object permissions and rights. Understanding how to systematically enumerate and analyze ACLs enables attackers to discover complex attack chains from low-privilege users to domain administrative access. This section covers both manual PowerView techniques and automated BloodHound analysis for comprehensive ACL assessment.
π― Strategic Context
π§ ACL Fundamentals
Access Control Entries (ACEs): Individual permission entries within ACLs
Security Identifiers (SIDs): Unique identifiers for security principals
Extended Rights: Special permissions beyond standard read/write operations
Object Types: Users, groups, computers, and domain objects with ACLs
Attack Chains: Multi-hop privilege escalation through ACL exploitation
β‘ ACL Attack Scenarios
Targeted Enumeration: Starting from controlled user accounts
Group Membership Manipulation: Adding users to privileged groups
Password Reset Rights: Force changing other users' passwords
GenericAll/GenericWrite: Comprehensive control over target objects
DCSync Rights: Domain replication permissions for credential extraction
π§ PowerView ACL Enumeration
π Basic ACL Discovery with Find-InterestingDomainAcl
Example Output (Truncated):
β οΈ Problem with Basic Enumeration:
Information Overload: Returns massive amounts of data
Time Consumption: Extremely inefficient during assessments
Analysis Paralysis: Difficult to identify actionable attack paths
Context Missing: Lacks focus on controlled users/assets
π― Targeted ACL Enumeration Strategy
π Step 1: Convert Username to SID
π Step 2: Basic Object ACL Search (Without GUID Resolution)
Example Raw Output:
π Step 3: Manual GUID to Rights Mapping
GUID Resolution Output:
β‘ Step 4: Automated GUID Resolution with -ResolveGUIDs
Human-Readable Output:
π Alternative Native PowerShell Methods
π Method 1: Using Get-Acl and Get-ADUser
Native PowerShell Output:
β οΈ Performance Note:
Much Slower: Takes significantly longer than PowerView
Resource Intensive: High CPU/memory usage in large environments
Less Efficient: Requires additional GUID resolution steps
Useful Backup: When PowerView is blocked or unavailable
π Multi-Hop Attack Path Discovery
π Attack Chain Example: wley β damundsen β Help Desk Level 1 β Information Technology β adunn β DCSync
Step 1: Initial User (wley) Analysis
Step 2: Second Hop Analysis (damundsen)
damundsen Rights Output:
π‘ Key Finding: damundsen has GenericWrite over "Help Desk Level 1" group!
Step 3: Group Nesting Analysis
Group Nesting Output:
π‘ Discovery: Help Desk Level 1 is nested in "Information Technology" group!
Step 4: Information Technology Group Rights
Information Technology Rights:
π‘ Key Finding: Information Technology group has GenericAll over adunn user!
Step 5: Final Target Analysis (adunn)
adunn Rights (DCSync Discovery):
π‘ JACKPOT: adunn has DS-Replication-Get-Changes and DS-Replication-Get-Changes-In-Filtered-Set β DCSync Attack!
π©Έ BloodHound ACL Visualization
π Attack Path Discovery with BloodHound
Step 1: Data Collection
Step 2: Visual Analysis
Set Starting Node: Search for and select
wley@INLANEFREIGHT.LOCALNode Info Tab: Scroll to "Outbound Control Rights"
First Degree Object Control: Shows direct rights (ForceChangePassword β damundsen)
Transitive Object Control: Shows full attack path (16 total objects)
Step 3: Interactive Attack Path
π BloodHound Interface Features
Right-Click Help Menus:
Attack Information: Detailed exploitation techniques
Tool Commands: Specific commands for each attack
OPSEC Considerations: Stealth and detection avoidance
External References: Links to additional resources
Pre-Built Queries:
Find Shortest Paths to Domain Admins
Find Principals with DCSync Rights
Users with Foreign Domain Group Membership
Computers where Domain Users are Local Admin
π― HTB Academy Lab Solutions
π Lab Questions & Solutions
π Question 1: "What is the rights GUID for User-Force-Change-Password?"
Solution:
β
Answer: 00299570-246d-11d0-a768-00aa006e0529
π© Question 2: "What flag can we use with PowerView to show us the ObjectAceType in a human-readable format during our enumeration?"
Solution:
β
Answer: -ResolveGUIDs
π Question 3: "What privileges does the user damundsen have over the Help Desk Level 1 group?"
Solution:
β
Answer: GenericWrite
π― Question 4: "Using the skills learned in this section, enumerate the ActiveDirectoryRights that the user forend has over the user dpayne (Dagmar Payne)."
Complete Lab Workflow:
Solution Process:
Actual Lab Output:
β
Answer: GenericAll
π Question 5: "What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)"
Complete Solution Process (using same RDP session):
Actual Lab Output:
Key Observation: The first entry shows ObjectAceType : Self-Membership
β
Answer: Self-Membership
π HTB Academy Lab Summary
All Verified Answers:
Rights GUID for User-Force-Change-Password:
00299570-246d-11d0-a768-00aa006e0529PowerView flag for human-readable format:
-ResolveGUIDsdamundsen privileges over Help Desk Level 1:
GenericWriteforend ActiveDirectoryRights over dpayne:
GenericAllforend ObjectAceType over GPO Management:
Self-Membership
Key Lab Details:
RDP Credentials:
htb-student:Academy_student_AD!Target IP:
10.129.149.107(example)Tools Directory:
C:\Tools\PowerView Module: Import with
Import-Module .\PowerView.ps1Core Technique:
Convert-NameToSid+Get-DomainObjectACL
Attack Path Discovered:
π§ Advanced ACL Enumeration Techniques
π― Targeted Rights Enumeration
π Object-Specific ACL Analysis
π ACL Statistics and Analysis
π οΈ Common ACL Attack Patterns
π Password Reset Rights
π₯ Group Membership Manipulation
π― GenericAll Exploitation
π DCSync Rights Discovery
π Key Learning Objectives
β
PowerView Mastery
Targeted Enumeration: Start from controlled users, not broad sweeps
SID Conversion:
Convert-NameToSidfor efficient searchesGUID Resolution: Always use
-ResolveGUIDsfor readable outputObject Filtering: Use
SecurityIdentifierfiltering for precise results
π― Attack Path Discovery
Multi-Hop Thinking: Each compromised user opens new attack vectors
Group Nesting: Understand transitive group membership privileges
Rights Escalation: Map from basic user to domain admin systematically
Documentation: Track each hop in the attack chain
π BloodHound Integration
Visual Confirmation: Use BloodHound to verify manual enumeration
Path Optimization: Find shortest routes to high-value targets
Query Mastery: Leverage pre-built and custom Cypher queries
Help Resources: Utilize right-click help for attack techniques
β οΈ Operational Considerations
Time Management: Avoid getting lost in massive ACL outputs
Target Prioritization: Focus on privileged groups and admin accounts
Alternative Methods: Have backup techniques when tools are blocked
Performance Impact: Large environment enumeration can be resource-intensive
β‘ Quick Reference Commands
π§ Essential ACL Enumeration Workflow
π Common ACL Rights Reference
Right Type
Capability
Attack Vector
User-Force-Change-Password
Reset user passwords
Password reset attack
GenericAll
Full control over object
Complete compromise
GenericWrite
Modify object properties
Group membership, attributes
Self-Membership
Add self to group
Privilege escalation
DS-Replication-Get-Changes
Domain replication
DCSync attack
WriteProperty
Modify specific properties
Targeted attribute changes
π Key Takeaways
β
ACL Enumeration Best Practices
Start Targeted: Begin with controlled users, not domain-wide sweeps
Use -ResolveGUIDs: Always prefer human-readable output
Think Multi-Hop: Each user compromise opens new attack vectors
Document Paths: Track the full attack chain for reporting
π― Strategic Enumeration
User β Group β User Chains: Most common privilege escalation pattern
Group Nesting: Critical for transitive privilege inheritance
High-Value Targets: Domain Admins, Exchange admins, service accounts
DCSync Rights: Ultimate goal for credential extraction
β οΈ Operational Insights
Time Boxing: Don't get lost in massive ACL outputs
Tool Redundancy: Have PowerShell alternatives when PowerView fails
BloodHound Confirmation: Visual validation of discovered paths
Performance Awareness: Large enumeration can impact target systems
π Attack Chain Examples
wley β [ForceChangePassword] β damundsen β [GenericWrite] β Help Desk Level 1 β [MemberOf] β Information Technology β [GenericAll] β adunn β [DCSync] β Domain Compromise
Low-privilege User β [Self-Membership] β Privileged Group β [Group Rights] β High-value Target β [Administrative Access] β Domain Control
ACL enumeration transforms scattered AD permissions into clear attack paths, revealing how seemingly innocuous user rights can escalate to complete domain compromise through systematic privilege chaining.
Last updated