ACL Enumeration

Enumerando ACLs com o PowerView

• Importar o módulo

. .\PowerView.ps1

$sid = Convert-NameToSid wley #Obter o SID de um user

• Usando Get-DomainObjectACL

Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

• Executando uma pesquisa reversa e mapeando para um valor GUID

$guid= "00299570-246d-11d0-a768-00aa006e0529"
$searchBase = "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)"
Get-ADObject -SearchBase $searchBase -LDAPFilter "(objectClass=ControlAccessRight)" -Properties * | Where-Object {$_.rightsGuid -eq $guid} | Select Name, DisplayName, DistinguishedName, rightsGuid | Format-List

• Usando o sinalizador -ResolveGUIDs

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} 

Criando uma lista de usuários do domínio

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

Um loop foreach útil

foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl  "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}

Enumeração adicional de direitos usando damundsen

$sid2 = Convert-NameToSid damundsen #Alterar sempre o user
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose

Investigando o grupo de nível 1 do suporte técnico com Get-DomainGroup

Get-DomainGroup -Identity "Help Desk Level 1" | select memberof

Investigando o Grupo de Tecnologia da Informação

$itgroupsid = Convert-NameToSid "Information Technology"
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose

Procurando acesso interessante

$adunnsid = Convert-NameToSid adunn 
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose