-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathACL - active diretory
28 lines (20 loc) · 1.36 KB
/
ACL - active diretory
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Just to remember if I find one of these, using BloodHound:
ForceChangePassword abused with Set-DomainUserPassword
Add Members abused with Add-DomainGroupMember
GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember
GenericWrite abused with Set-DomainObject
WriteOwner abused with Set-DomainObjectOwner
WriteDACL abused with Add-DomainObjectACL
AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember
Addself abused with Add-DomainGroupMember
DCSync is a technique for stealing the Active Directory password database by using the built-in Directory Replication Service Remote Protocol
An example, just to remember me:
1: We enumerated objects that the user wley has control over and found that we could force change the password of the user damundsen
2: From here, we found that the damundsen user can add a member to the Help Desk Level 1 group using GenericWrite privileges
3: The Help Desk Level 1 group is nested into the Information Technology group, which grants members of that group any rights provisioned to the Information Technology group
Source: https://academy.hackthebox.com/module/143/section/1456
Using PowerView, it seems to be something like: Get-..., or Set-..., or Add-...
Ex: Add-DomainGroupMember
Get-DomainGroupMember
Set-DomainUserPassword
Set-DomainObject