ACLs are lists that define who has access to which resource.

ACL < ACEs < DACLs

• There are two types of ACLs:

  • Discretionary access control list (DACL)

    • defines which security principals are granted or denied access to an object. DACLs are made up of ACEs that either allow or deny access.

  • System access control lists (SACL)

    • allow administrators to log access attempts made to secured objects.

ACEs

ACLs contains ACE entries that name a user or group and the level of access they have over a given securable objects. There are three types of ACEs which are access denied ACE, access allowed ACE, system audit ACE.

• Each ACE is made up of the four components:

  • The security identifier (SID) of the user/group that has access to object.

  • A flag denoting the type of ACE (allowed, denied, system audit ACE)

  • A set of flags that specify whether or not child objects can inherit the given ACE entry from the parent object.

  • Defines the rights granted to an object.

• Why are ACEs important? Attackers utilize ACE entries to either further access or establish persistence. Many organizations are unaware of ACEs applied to each objects and cannot be detected by the vulnerability scanning tools. Enumeration tools such as bloodhound, powerview can be used to investigate permissions.

• Permissions can be abused:

  • ForceChangePassword abused with Set-DomainUserPassword

  • Add Members abused with Add-DomainGroupMember

  • GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember

  • GenericWrite abused with Set-DomainObject

  • WriteOwner abused with Set-DomainObjectOwner

  • WriteDACL abused with Add-DomainObjectACL

  • AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember

  • Addself abused with Add-DomainGroupMember

• ACL attacks in the wild:

  • Lateral movements

  • Privilege escalations

  • persistence