📼Enum ACLs
We can use Get-DomainObjectACL from PowerView to enumerate ACLs
If we target a specific groups like the Domain Admin Group, we could enumerate it the following way:
Next is we want to check for modify rights/permissions for a specific user we can use FindInterestingDomainACL
Understanding which users have modify rights in your AD is critical for security auditing. Modify permissions can allow users to make significant changes, such as altering user accounts, groups, or policies, which can affect the entire domain.
For the user “student613” I would use the following:
But unfortunately we don't find anything but if we try to specify a group instead of a user ->
Since we're a member of the RDP Users group, let's check that out
The command is used to find and filter specific ACLs in a domain that relate to a group or user containing "RDPUsers" in their name. Here is a step-by-step explanation of what the command does:
explainFind-InterestingDomainAcl -ResolveGUIDs
:Executes the function to find interesting domain ACLs and resolves GUIDs into readable names.
|
(Pipe):Passes the resulting list of ACLs to the next command.
?{ $_.IdentityReferenceName -match "RDPUsers" }
:Filters the ACLs to include only those where the
IdentityReferenceName
matches or contains the string "RDPUsers".
More in depth:
?{ $_.IdentityReferenceName -match "RDPUsers" }
:
The
?
is an alias for theWhere-Object
cmdlet, which filters objects based on a specified condition.{ $_.IdentityReferenceName -match "RDPUsers" }
is the condition being applied.$_
represents the current object in the pipeline.IdentityReferenceName
is a property of the objects being filtered, likely representing the name of a user or group.-match "RDPUsers"
checks if theIdentityReferenceName
contains the string "RDPUsers".
Last updated