https://leikah.haoyingcao.xyz/en/tags/acl-abuse/Recent content in ACL Abuse on LEIKAHHugoenhttps://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/group/Mon, 01 Jan 0001 00:00:00 +0000https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/group/<p>Member principals within a Active Directory group automatically inherits the accesses and privileges granted to that group. If the principal we control have sufficient privileges over a group (<code>GenericAll</code>, <code>GenericWrite</code>, <code>AllExtendedRights</code> or <code>Self-Membership</code>), we can add another principal (e.g. a low-priv user) to the group so the principal inherits all access rights granted to the group.</p> <h2 id="linux-perspective">Linux Perspective<a class="td-heading-self-link" href="#linux-perspective" aria-label="Heading self-link"></a></h2> <p>From a Linux attacker machine, we can use bloodyAD to add a user to a group.</p>https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/control_over_user/Mon, 01 Jan 0001 00:00:00 +0000https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/control_over_user/<h2 id="force-change-password">Force Change Password<a class="td-heading-self-link" href="#force-change-password" aria-label="Heading self-link"></a></h2> <p>The most naive method is to simply change that user&rsquo;s password. With <code>ForceChangePassword</code> access, which is included with <code>GenericAll</code> access on a user, we should be able to change that user&rsquo;s password without knowing their current password.</p> <div class="alert alert-primary" role="alert"><div class="h4 alert-heading" role="heading">Note</div> <p>Change an account&rsquo;s password is considered <strong>destructive</strong> to the environment due to the potential disruption it may cause. With the account&rsquo;s password changed, Users may not be able to log in. If the account is a service account, the service can become unavailable. During real-life engagements, only use this technique if written consent from the client is obtained.</p>https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/Mon, 01 Jan 0001 00:00:00 +0000https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/<p>Permissions in Active Directory are controlled through <strong>Access Control Lists (ACL)</strong>. Each security principal (user, group, process) has a corresponding ACL. ACLs define both who has access to which assets or resource, and what level of access they are granted. ACLs are made up of <strong>Access Control Entries (ACE)</strong> that explicity allow and/or deny users or groups from access.</p> <p>If misconfigured, ACLs can be leveraged by attackers to achieve lateral movement or privilege escalation inside the domain. The abuse of ACL access rights are dependent on the specific access granted to the attacking user.</p>https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/gmsa/Mon, 01 Jan 0001 00:00:00 +0000https://leikah.haoyingcao.xyz/en/docs/active_directory/movement/acl_abuse/gmsa/<p>The need to protect service accounts against attacks such as Kerberoasting gave rise to <strong>Managed Service Accounts (MSA)</strong> and later <strong>Group Managed Service Accounts (gMSA)</strong>. While both supports automatic password generation and rotation, the latter allows the same service accounts to be used acrossed different machines.</p> <p>Members of the group that manage the gMSA are intended to be the machine accounts of the computers where the service account will be deployed on. Members have the ability to read the password hash of the service account (<code>ReadGMSAPassword</code>).</p>