ACL Enumeration

INTRODUCTION¶

ACL (Access Control List) enumeration is a critical part of understanding permissions and potential attack paths within an Active Directory (AD) environment. This cheat sheet covers the use of PowerView for manual enumeration and BloodHound for graphical representation and attack path discovery.

STEP 1: CONVERT USERNAMES TO SIDS AND RETRIEVE ACLS¶

Import PowerView Module
Import-Module .\PowerView.ps1
Convert Username to SID
$userSID = Convert-UserToSID -Username mthompson
Get Domain Object ACLs
Get-DomainObjectACL -Identity * | Where-Object {$_.SecurityIdentifier -eq $userSID}
Convert GUID Values to Human-Readable Format:
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

STEP 2: WORK WITH SPECIFIC GUIDS¶

Set the GUID:
$guid = "3e0abfd0-1261-11d0-a060-00aa006c33ed"
Find the mapping:
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * | Select-Object Name,DisplayName,DistinguishedName,rightsGuid | Where-Object {$_.rightsGuid -eq $guid} | Format-List

STEP 3: REPEAT FOR ADDITIONAL USERS AND GROUPS¶

Convert another username to SID:
$sid2 = Convert-NameToSid -Username nwalker
Enumerate rights:
Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $sid2} -Verbose
Check Group Nesting
Get-DomainGroup -Identity "Finance Team" | Select-Object memberof
Convert group name to SID:
$securityGroupSID = Convert-NameToSid -Username "Security Operations"
Enumerate rights:
Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $securityGroupSID} -Verbose
Convert another username to SID:
$jdoeSID = Convert-NameToSid -Username jdoe
Enumerate rights:
Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $jdoeSID} -Verbose