Back to Details

analyzing-active-directory-acl-abuse

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Overview

概述

Active Directory Access Control Lists (ACLs) define permissions on AD objects through Discretionary Access Control Lists (DACLs) containing Access Control Entries (ACEs). Misconfigured ACEs can grant non-privileged users dangerous permissions such as GenericAll (full control), WriteDACL (modify permissions), WriteOwner (take ownership), and GenericWrite (modify attributes) on sensitive objects like Domain Admins groups, domain controllers, or GPOs.
This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound.
Active Directory Access Control Lists (ACLs) 通过包含Access Control Entries (ACEs) 的Discretionary Access Control Lists (DACLs) 定义AD对象的权限。配置错误的ACEs可能会授予非特权用户危险权限,例如对Domain Admins组、domain controllers或GPOs等敏感对象拥有GenericAll(完全控制)、WriteDACL(修改权限)、WriteOwner(获取所有权)和GenericWrite(修改属性)权限。
本技能使用Python的ldap3库连接到Domain Controller,查询带有nTSecurityDescriptor属性的对象,将二进制安全描述符解析为SDDL(Security Descriptor Definition Language)格式,并识别向非管理主体授予危险权限的ACEs。这些配置错误是BloodHound等工具发现的基于ACL的攻击路径的基础。

Prerequisites

前提条件

  • Python 3.9 or later with ldap3 library (
    pip install ldap3
    )
  • Domain user credentials with read access to AD objects
  • Network connectivity to Domain Controller on port 389 (LDAP) or 636 (LDAPS)
  • Understanding of Active Directory security model and SDDL format
  • Python 3.9或更高版本,并安装ldap3库(
    pip install ldap3
  • 具有AD对象读取权限的域用户凭据
  • 与Domain Controller的网络连通性,端口为389(LDAP)或636(LDAPS)
  • 了解Active Directory安全模型和SDDL格式

Steps

步骤

  1. Connect to Domain Controller: Establish an LDAP connection using ldap3 with NTLM or simple authentication. Use LDAPS (port 636) for encrypted connections in production.
  2. Query target objects: Search the target OU or entire domain for objects including users, groups, computers, and OUs. Request the 
    nTSecurityDescriptor
    , 
    distinguishedName
    , 
    objectClass
    , and 
    sAMAccountName
    attributes.
  3. Parse security descriptors: Convert the binary nTSecurityDescriptor into its SDDL string representation. Parse each ACE in the DACL to extract the trustee SID, access mask, and ACE type (allow/deny).
  4. Resolve SIDs to principals: Map security identifiers (SIDs) to human-readable account names using LDAP lookups against the domain. Identify well-known SIDs for built-in groups.
  5. Check for dangerous permissions: Compare each ACE's access mask against dangerous permission bitmasks: GenericAll (0x10000000), WriteDACL (0x00040000), WriteOwner (0x00080000), GenericWrite (0x40000000), and WriteProperty for specific extended rights.
  6. Filter non-admin trustees: Exclude expected administrative trustees (Domain Admins, Enterprise Admins, SYSTEM, Administrators) and flag ACEs where non-privileged users or groups hold dangerous permissions.
  7. Map attack paths: For each finding, document the potential attack chain (e.g., GenericAll on user allows password reset, WriteDACL on group allows adding self to group).
  8. Generate remediation report: Output a JSON report with all dangerous ACEs, affected objects, non-admin trustees, and recommended remediation steps.
  1. 连接到Domain Controller:使用ldap3通过NTLM或简单身份验证建立LDAP连接。在生产环境中使用LDAPS(端口636)进行加密连接。
  2. 查询目标对象:在目标OU或整个域中搜索用户、组、计算机和OU等对象。请求
    nTSecurityDescriptor
    distinguishedName
    objectClass
    sAMAccountName
    属性。
  3. 解析安全描述符:将二进制的nTSecurityDescriptor转换为SDDL字符串格式。解析DACL中的每个ACE,提取受托人SID、访问掩码和ACE类型(允许/拒绝)。
  4. 将SID解析为主体:通过对域进行LDAP查询,将安全标识符(SIDs)映射为人类可读的账户名称。识别内置组的知名SIDs。
  5. 检查危险权限:将每个ACE的访问掩码与危险权限位掩码进行比较:GenericAll(0x10000000)、WriteDACL(0x00040000)、WriteOwner(0x00080000)、GenericWrite(0x40000000)以及针对特定扩展权限的WriteProperty。
  6. 过滤非管理员受托人:排除预期的管理受托人(Domain Admins、Enterprise Admins、SYSTEM、Administrators),标记非特权用户或组拥有危险权限的ACEs。
  7. 映射攻击路径:对于每个发现的问题,记录潜在的攻击链(例如,对用户拥有GenericAll权限允许重置密码,对组拥有WriteDACL权限允许将自身添加到组中)。
  8. 生成修复报告:输出包含所有危险ACEs、受影响对象、非管理员受托人以及建议修复步骤的JSON报告。

Expected Output

预期输出

json
{
  "domain": "corp.example.com",
  "objects_scanned": 1247,
  "dangerous_aces_found": 8,
  "findings": [
    {
      "severity": "critical",
      "target_object": "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com",
      "target_type": "group",
      "trustee": "CORP\\helpdesk-team",
      "permission": "GenericAll",
      "access_mask": "0x10000000",
      "ace_type": "ACCESS_ALLOWED",
      "attack_path": "GenericAll on Domain Admins group allows adding arbitrary members",
      "remediation": "Remove GenericAll ACE for helpdesk-team on Domain Admins"
    }
  ]
}
json
{
  "domain": "corp.example.com",
  "objects_scanned": 1247,
  "dangerous_aces_found": 8,
  "findings": [
    {
      "severity": "critical",
      "target_object": "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com",
      "target_type": "group",
      "trustee": "CORP\\helpdesk-team",
      "permission": "GenericAll",
      "access_mask": "0x10000000",
      "ace_type": "ACCESS_ALLOWED",
      "attack_path": "GenericAll on Domain Admins group allows adding arbitrary members",
      "remediation": "Remove GenericAll ACE for helpdesk-team on Domain Admins"
    }
  ]
}