AD AccessControlRights
The Active Directory Access Control List(AD ACL) is one of those rarely explained security risks with a profound impact. The root vulnerability of many Active Directory attacks comes down to weak permissions on AD objects. Domain lateral movement, escalation of domain privileges, and DCSync attacks are only possible through abusing the Active Directory Access Control List.
The "AD-PowerAdmin_AdAccessRights" module adds features to audit AD ACL for risks that an attacker may leverage.
Recommended Reading The Active Directory Access Control List Explained
The AD-PowerAdmin ACL Audits Tools will find ACEs that may pose a security risk. However, there are many expected "high-risk" ACEs within the root domain ACL. For example, Domain Admin and "GenericAll" have rights to everything, so any Domain Admin account will appear in the audit. The goal of this tool is not to eliminate all high-risk ACEs but to instead confirm the AD accounts and computers you would expect to be there. Are there non-admin accounts showing up in the report? Are non-domain controller computers showing up in the Domain Controller group?
Audit AD objects with DCSync rights ACEs on the root domain.
Example Output
-- ACE# 1 --
"ACME\Domain Controllers" has the following ACE:
SecurityPrincipal : ACME\Domain Controllers
Access : Allow
AdRights : ExtendedRight
RightObjectName : DS-Replication-Get-Changes-All
Inheritance : None
InheritedObjectTypeName : Any
The "ACME\Domain Controllers" group has Allow ExtendedRight rights of "DS-Replication-Get-Changes-All" on "DC=acme,DC=com", but NO child objects of "DC=acme,DC=com".
The following AD objects are members of the "acme\Domain Controllers" and can use this right.
SamAccountName RightObjectName InheritedRightFrom AceApplicableTo
-------------- --------------- ------------------ ---------------
FL-222$ DS-Replication-Get-Changes-All ACME\Domain Controllers DC=acme,DC=com
-- ACE# 2 --
"BUILTIN\Administrators" has the following ACE:
SecurityPrincipal : BUILTIN\Administrators
Access : Allow
AdRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
RightObjectName : All
Inheritance : All
InheritedObjectTypeName : Any
The "BUILTIN\Administrators" group has Allow CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner rights to "All" objects, object attributes, and ExtendedRights on "DC=acme,DC=com", and all child descendent objects of "DC=acme,DC=com", with the AD objectClass of "Any".
The following AD objects are members of the "BUILTIN\Administrators" and can use this right.
SamAccountName RightObjectName InheritedRightFrom AceApplicableTo
-------------- --------------- ------------------ ---------------
Administrator All BUILTIN\Administrators DC=acme,DC=com
ADPowerAdmMSA$ All BUILTIN\Administrators DC=acme,DC=com
test.admin All BUILTIN\Administrators DC=acme,DC=com
Audit AD objects with high-risk ACEs on the root domain. Discover basic user accounts that, inadvertently, have more permissions than they should. Think of this as a less intrusive version of Bloodhound without the pretty graphics and more basic.
Example Output
-- ACE# 1 --
"BUILTIN\Administrators" has the following ACE:
SecurityPrincipal : BUILTIN\Administrators
Access : Allow
AdRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
RightObjectName : All
Inheritance : All
InheritedObjectTypeName : Any
The "BUILTIN\Administrators" group has Allow CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner rights to "All" objects, object attributes, and ExtendedRights on "DC=ACME,DC=com", and all child descendent objects of "DC=ACME,DC=com", with the AD objectClass of "Any".
The following AD objects are members of the "BUILTIN\Administrators" and can use this right.
SamAccountName RightObjectName InheritedRightFrom AceApplicableTo
-------------- --------------- ------------------ ---------------
Administrator All BUILTIN\Administrators DC=ACME,DC=com
ADPowerAdmMSA$ All BUILTIN\Administrators DC=ACME,DC=com
test.admin All BUILTIN\Administrators DC=ACME,DC=com
-- ACE# 2 --
"ACME\Domain Admins" has the following ACE:
SecurityPrincipal : ACME\Domain Admins
Access : Allow
AdRights : CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner
RightObjectName : All
Inheritance : None
InheritedObjectTypeName : Any
The "ACME\Domain Admins" group has Allow CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner rights to "All" objects, object attributes, and ExtendedRights on "DC=ACME,DC=com", but NO child objects of "DC=ACME,DC=com".
The following AD objects are members of the "ACME\Domain Admins" and can use this right.
SamAccountName RightObjectName InheritedRightFrom AceApplicableTo
-------------- --------------- ------------------ ---------------
test.admin All ACME\Domain Admins DC=ACME,DC=com
ADPowerAdmMSA$ All ACME\Domain Admins DC=ACME,DC=com
Under the hood, several functions gather, enrich, and display the ACE/ACL data. The two audit tools I described above(DcSync & High-Risk ACE Audit) use AD-PowerAdmins "Get-AdAcl" function, filtering for ACEs that match their criteria, sending the select ACL data to the "Get-ExtendedAcl" function, and lastly sending the enriched data to one of the "Out-AclDetails(lite)" functions.
Alternatively, you can just import the "AD-PowerAdmin_AdAccessRights" module and use the commands in our own PowerShell script or console.
git clone https://github.com/Brets0150/AD-PowerAdmin.git
cd ./AD-PowerAdmin
Import-Module .\Modules\AD-PowerAdmin_AdAccessRights.psd1 -Force
Get-AdAcl -AdObjectPath 'OU=Network.Groups,DC=acme,DC=com' | Get-ExtendedAcl
# There will be many ACEs, but I am only showing one here as an example.
AceApplicableTo : OU=Network.Groups,DC=acme,DC=com
SecurityPrincipal : BUILTIN\Pre-Windows 2000 Compatible Access
AdRights : ListChildren
Access : Allow
RightObjectName : All
IsInherited : True
Inheritance : All
InheritedObjectTypeName : Any
ExplainAce : The "BUILTIN\Pre-Windows 2000 Compatible Access" group has Allow ListChildren rights to "All" objects, object attributes, and ExtendedRights on
"OU=Network.Groups,DC=acme,DC=com", and all child descendent objects of "OU=Network.Groups,DC=acme,DC=com", with the AD objectClass of "Any".
SecurityPrincipalMembers : {@{SamAccountName=FL-222$; DistinguishedName=CN=FL-222,OU=Domain Controllers,DC=acme,DC=com; ObjectType=computer; RightObjectName=All; AdRights=ListChildren;
InheritedRightFrom=BUILTIN\Pre-Windows 2000 Compatible Access; AceApplicableTo=OU=Network.Groups,DC=acme,DC=com}}
- Get-AdAcl – Get the ACL of an AD object and return an array of ACE hashtables—an AD-optimized version of Get-ACL.
- Get-ExtendedAcl – Convert an ACE into human-readable form, enumerate who can use the ACE, and create an easy-to-follow explanation of what the ACE does.
- Get-AdGuid – Return a variable containing AD GUIDs, their human-readable name, and their objectClass.
- Out-AclDetails - Display ACE data in an easy-to-follow manner. Display the ACE, what users can use it, and explain how the ACE is inherited. Suitable for unfiltered ACE lists.
- Out-AclDetailsLite - Display only users who can leverage an ACE. Best for filtered results: filter for users with DcSync rights, then output that user list only.