Enumerating ACLs with PowerView
We can use PowerView to enumerate ACLs, but the task of digging through all of the results will be extremely time-consuming and likely inaccurate.
Enumerating ACLs with BloodHound
Upload gathered Data to BloodHound. Set the
wley user as our starting node, select the
Node Info tab and scroll down to
Outbound Control Rights. This option will show us objects we have control over directly, via group membership, and the number of objects that our user could lead to us controlling via ACL attack paths under
Transitive Object Control. If we click on the
1 next to
First Degree Object Control, we see the first set of rights that we enumerated,
ForceChangePassword over the
If we right-click on the line between the two objects, a menu will pop up. If we select
Help, we will be presented with help around abusing this ACE, including:
- More info on the specific right, tools, and commands that can be used to pull off this attack
- Operational Security (Opsec) considerations
- External references.
If we click on the
16 next to
Transitive Object Control, we will see the entire path that we painstakingly enumerated above. From here, we could leverage the help menus for each edge to find ways to best pull off each attack.
Finally, we can use the pre-built queries in BloodHound to confirm that the
adunn user has DCSync rights.