📖ACL exploitation

For security reasons, not all users and computers in an AD environment can access all objects and files. These types of permissions are controlled through Access Control Lists (ACLs).

In their simplest form, ACLs are lists that define a) who has access to which asset/resource and b) the level of access they are provisioned. The settings themselves in an ACL are called Access Control Entries (ACEs). Each ACE maps back to a user, group, or process (also known as security principals) and defines the rights granted to that principal

The 2 types of ACLs are ->

1. Discretionary Access Control List (DACL) - defines which security principals are granted or denied access to an object. DACLs are made up of ACEs that either allow or deny access. When someone attempts to access an object, the system will check the DACL for the level of access that is permitted.

2. System Access Control Lists (SACL) - allow administrators to log access attempts made to secured objects.

SACLs can be seen within the Auditing tab.

We can use ACL attacks for:

• Lateral movement

• Privilege escalation

• Persistence

Here is an excellent breakdown of the varying possible ACE attacks and the tools to perform these attacks from both Windows and Linux