Active Directory ACL Abuse API Reference

ldap3 Python Connection

from ldap3 import Server, Connection, ALL, NTLM, SUBTREE

server = Server("192.168.1.10", get_info=ALL, use_ssl=False)
conn = Connection(server, user="DOMAIN\\user", password="pass",
                  authentication=NTLM, auto_bind=True)

# Search with nTSecurityDescriptor
conn.search(
    "DC=corp,DC=example,DC=com",
    "(objectClass=group)",
    search_scope=SUBTREE,
    attributes=["distinguishedName", "sAMAccountName",
                "objectClass", "nTSecurityDescriptor"],
)

SDDL ACE Format

ACE String: (ace_type;ace_flags;rights;object_guid;inherit_guid;trustee_sid)
Example:    (A;;GA;;;S-1-5-21-xxx-512)

Component	Description
`A`	Access Allowed
`D`	Access Denied
`OA`	Object Access Allowed
`GA`	Generic All
`GW`	Generic Write
`WD`	Write DACL
`WO`	Write Owner

Dangerous Permission Bitmasks

Permission	Hex Mask	Risk
GenericAll	`0x10000000`	Full control over object
GenericWrite	`0x40000000`	Modify all writable attributes
WriteDACL	`0x00040000`	Modify object permissions
WriteOwner	`0x00080000`	Take object ownership
WriteProperty	`0x00000020`	Write specific properties
ExtendedRight	`0x00000100`	Extended rights (password reset, etc.)
Self	`0x00000008`	Self-membership modification
Delete	`0x00010000`	Delete the object

BloodHound Cypher Queries for ACL Paths

-- Find all users with GenericAll on Domain Admins
MATCH p=(n:User)-[r:GenericAll]->(g:Group {name:"DOMAIN ADMINS@CORP.COM"})
RETURN p

-- Find WriteDACL paths from non-admins to high-value targets
MATCH (n:User {admincount:false})
MATCH p=allShortestPaths((n)-[r:WriteDacl|WriteOwner|GenericAll*1..]->(m:Group))
WHERE m.highvalue = true
RETURN p

-- Find GenericWrite on computers for RBCD attacks
MATCH p=(n:User)-[r:GenericWrite]->(c:Computer)
WHERE NOT n.admincount
RETURN n.name, c.name

-- Enumerate all outbound ACL edges for a principal
MATCH p=(n {name:"HELPDESK@CORP.COM"})-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(m)
RETURN type(r), m.name, labels(m)

-- Find shortest ACL abuse path to Domain Admin
MATCH (n:User {name:"JSMITH@CORP.COM"})
MATCH (da:Group {name:"DOMAIN ADMINS@CORP.COM"})
MATCH p=shortestPath((n)-[r:MemberOf|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns|ForceChangePassword*1..]->(da))
RETURN p

PowerView Commands for ACL Enumeration

# Get ACL for Domain Admins group
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

# Find interesting ACEs for non-admin users
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
    $_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"
}

# Get ACL for specific OU
Get-DomainObjectAcl -SearchBase "OU=Servers,DC=corp,DC=com" -ResolveGUIDs

2.9 KiB Raw Blame History

Active Directory ACL Abuse API Reference

ldap3 Python Connection

SDDL ACE Format

Dangerous Permission Bitmasks

BloodHound Cypher Queries for ACL Paths

PowerView Commands for ACL Enumeration

2.9 KiB

Raw Blame History