ACL Abuse Primer

Access control list: which define the authorization for each user

ACM (Access Control Mechanism/Model): the way these permissions are applied—inheritance rules, overriding, and how the system enforces .

token → which is define with each session contain some of information like SID, Priv, Group membership)

Access Control Entries - ACEs→ The settings themselves in an ACL

every object have ACL but can have multiple ACEs

Types of ACLs

DACL (Discretionary Access Control List): defines which security principals are granted or denied access to an object

SACL (System Access Control Lists): allow administrators to log access attempts made to secured objects.

image.png

SACL

Access Control Entries (ACEs)

contain 3 main types Access denied/allowed ACE for DACL and system audit ACE for SACL

Have 4 Component

• The security identifier (SID) of the user/group to access object or SPN

• flag to define type of ACE (access denied, allowed, or system audit ACE)

• A set of flags define children can inherit privileges from parent or not

• access mask which is a 32-bit value that defines the rights granted to an object

  

---

Some example Active Directory object security permissions are as follows. These can be enumerated (and visualized) using a tool such as BloodHound, and are all abusable with PowerView, among other tools:

• ForceChangePassword abused with Set-DomainUserPassword

• Add Members abused with Add-DomainGroupMember

• GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember

• GenericWrite abused with Set-DomainObject

• WriteOwner abused with Set-DomainObjectOwner

• WriteDACL abused with Add-DomainObjectACL

• AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember

• Addself abused with Add-DomainGroupMember

---