Enumerating & Abusing AD ACLs using Mishky’s RedTeam & AbuseTool

Rich
6 min readAug 5, 2023

--

TL;DR We worked up a pair of tools called RedTeam & AbuseTool that enumerate rights in AD and then abuse them. The tools are here. Please leave any remarks or suggestions in the comments! We are open to recommendations, criticism, etc!

Welcome to the annexes of our Auditing AD Series!

Part I: 3 warm up questions to get us started

Part II: Who can reset the CISO’s password?

Part III: Who can execute DCSync?

Part IV: Who can modify the Domain Admins group?

Part V: P0wning a domain in minutes via ACL abuse (why auditing matters)

Part VI: Why Allow statements matter a LOT more than Deny ones

Part VII: Sneaky persistence via hidden objects in AD

Part VIII: SDDL, what is it, does it matter?

Part IX: Do you know who owns your domain?

Part X: Who can push ransomware via Group Policy?

Part XI: Free ways to simplify auditing AD

Part XII: Sidenote on arcane rights like Self

Part XIII: Sidenote on the ScriptPath right

Part XIV: Self & so called “Effective Permissions”

Part XV: Inheritance Explained & an Example

Part XVI: Summary of our Auditing AD Series

Annex A: Scrubbing Group Policy for local admins

Annex B: What Property Sets in AD are, & why they matter

Annex C: Dangerous Rights & RE GUIDs Cheatsheet

Annex D: Mishky’s Blue Team Auditor

Annex E: Even ChatGPT gets this stuff wrong

Annex F: Get-ADPermission Cheatsheet

Annex G: Mishky’s Red Team Enumerate & Attack tools

First we have to give credit where credit is due

Firstly let me say, none of this would have worked without ideas and modules from others. We here at test.local are not all that creative or original.

The entire idea borrowed heavily from Trimarc’s AD CS check and Will Shroeder’s, aka harmj0y’s, PowerView. The Red Team version relies on Alex Hansen’s Get-ADUserNestedGroups. We got into this arcane topic at all thanks to a now retired Microsoft exam, Sean Metcalf, CRTP, and Sanjay Tandon.

Background

We originally created a proof of concept for a version of PowerView’s Invoke-ACLScanner that uses builtin PowerShell functionality back in Part XI of the Auditing AD Series. It checked nested groups, didn’t trip Defender, and also looked for rights held by Everyone, Domain Users, etc. It wasn’t a bad start.

Here at test.local we’ve always had a “if it’s stupid but it works then it’s not stupid” mentality. We’d Google, use some trial & error, and duct tape together a query that worked but was ugly as sin. In that vein, the original Red Team tool simply enumerated rights held by the currently logged in user who ran it or any groups they were nested in. It had zero error handling, didn’t accept input, it just ran and output to the terminal.

It also expected that you had a cheatsheet of GUIDs nearby and knew what you were looking at.

Improvements

We later developed a Blue Team version that shows Dangerous Rights held by non-whitelisted users or groups. The code is better written, it included some error handling, accepted input, resolved common GUIDs, and output to text files by OU.

We wanted to practice more error handling, functions, and writing somewhat less ugly code so we went back to the Red Team version, tweaked it, and created an Abuse Tool to go with it.

Putting it all together

One can now run RedTeam.ps1 to import the functions. Then simply run ‘Get Rights’ to enumerate any Dangerous Rights held by the currently logged on user or ‘Get Rights <SamAccountName>’ to enumerate for a different user.

The query:

  • Imports the modules it needs
  • Checks to ensure the SamAccountName exists
  • Checks to ensure the account is in at least one group
  • Enumerates Dangerous rights held by that user, including any groups they are nested in
  • Outputs anything it finds both to the CLI and a text file in the pwd
  • Resolves GUIDs in the text file

We put Mishka in the SSPR group back when we were setting up hybrid AD. We simply nested the SSPR group in the Testing group, then gave that group some Dangerous Rights for testing purposes.

This is where Get-ADUserNestedGroups really shines.

One can then run AbuseTool.ps1. This presents a menu and helpful suggestions.

Abuse the scenario without having to know Set-Acl

Let’s use the group listed above first. We created a potential daisy chain for a mere Domain User named Mishka to add herself to the group Testers. We’ll assume that group has NTFS and/or share rights to juicy corporate data like proprietary source code.

BloodHound does an excellent job of showing this graphically, as well as providing a helpful step by step method to abuse this using PowerView.

Mishka can then use options 1, 2, and 3 in sequence to add herself to the group Testers.

Another example

Let’s reset Test Dummy’s password. Admittedly this doesn’t use Set-Acl, but the user doesn’t even have to Google how to reset a password in PowerShell.

Mishka can now login or RunAs Test Dummy, enumerate again, and abuse any rights that account holds. It’s the classic Credential Theft Shuffle.

Summary

Hopefully I got our point across. Objects in AD can act on other objects. BloodHound and PowerView already did a really great job of enumerating and abusing this. However neither of these are builtin and tend to trip Defender. I also wanted to learn something, which is really what this entire long, drawn out, and probably extremely boring to anyone that’s not me series was about.

If you read this and it helped you, then I’m flattered.

Regardless, I go back and check my own notes on here all the time. It helps me.

I said this earlier, but it bears repeating;

I really have to say that BloodHound and PowerView simply do an excellent job at this ‘out of the box’. If you want to gain a deeper understanding of the topic then do what we did. If you just want to check for ‘Dangerous Rights’ then use BloodHound and/or PowerView.

In summary, Mishky’s improved RedTeam and AbuseTool are here.

Please leave any remarks or suggestions in the comments! We are open to recommendations, criticism, etc!

References

Set-ADAccountPassword: https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adaccountpassword?view=windowsserver2022-ps

Open URL using the default browser: https://debug.to/696/open-url-in-browser-in-powershell

Get-ADUserNestedGroups: http://blog.tofte-it.dk/powershell-get-all-nested-groups-for-a-user-in-active-directory/

If/ElseIf/Else: https://ss64.com/ps/if.html

Rights matched to GUIDs: https://www.powershellgallery.com/packages/DSACL/1.0.0/Content/DSACL.psm1

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.