ACL Enumeration

Introduction¶

ACL (Access Control List) enumeration is a critical step in understanding permissions and potential attack paths within an Active Directory (AD) environment.
This cheat sheet covers the use of PowerView for manual enumeration and BloodHound for graphical representation and attack path discovery.

Step 1: Convert Usernames to SIDs and Retrieve ACLs¶

Import the PowerView module
```
Import-Module .\PowerView.ps1
```

Convert a username to a SID

$userSID = Convert-UserToSID -Username mthompson

Get domain object ACLs for that SID

Get-DomainObjectACL -Identity * | Where-Object {$_.SecurityIdentifier -eq $userSID}

Resolve GUID values into human-readable format

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Step 2: Work with Specific GUIDs¶

Set a GUID

$guid = "3e0abfd0-1261-11d0-a060-00aa006c33ed"

Find its mapping in AD

Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * | Select-Object Name,DisplayName,DistinguishedName,rightsGuid | Where-Object {$_.rightsGuid -eq $guid} | Format-List

Step 3: Repeat for Additional Users and Groups¶

Convert another username to SID

$sid2 = Convert-NameToSid -Username nwalker

Enumerate rights for that SID

Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $sid2} -Verbose

Check group nesting

Get-DomainGroup -Identity "Finance Team" | Select-Object memberof

Convert a group name to SID

$securityGroupSID = Convert-NameToSid -Username "Security Operations"

Enumerate rights for that group SID

Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $securityGroupSID} -Verbose

Convert another username to SID

$jdoeSID = Convert-NameToSid -Username jdoe

Enumerate rights for that SID

Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $jdoeSID} -Verbose