SlideShare a Scribd company logo

aclpwn - Active Directory ACL exploitation with BloodHound

D
DirkjanMollema

My talk about aclpwn and Active Directory ACL exploitation as given on Hack in the Box Dubai Armory 2018.

1 of 41
Downloaded 148 times
fox-it.com Dirk-jan Mollema @_dirkjan Aclpwn.py – Active Directory ACL exploitation with BloodHound
fox-it.com - Lives in The Netherlands - Hacker / Red Teamer / Researcher @ Fox-IT since 2016 - Previously freelance webdeveloper - Author of several Active Directory tools: - mitm6 - ldapdomaindump - BloodHound.py - Co-author of ntlmrelayx - Blogs on dirkjanm.io - Tweets stuff on @_dirkjan Whoami
fox-it.com • What are ACLs • Common ACL abuse paths • aclpwn.py concepts • Using aclpwn.py Contents
fox-it.com • https://github.com/ANSSI-FR/AD-control-paths (Emmanuel Gras and Lucas Bouillot from ANSSI – 2014) • “An ACE up the Sleeve” – BH USA 2017 (by @_wald0 and @harmj0y) • BloodHound (@_wald0, @harmj0y and @CptJesus) Abusing ACLs – prior work
fox-it.com What are ACLs – the short version
fox-it.com • In Active Directory, an ACL defines who can do what on an object • Objects: • Users • Groups • Computers • Domain(s) What are ACLs – the short version
fox-it.com • Access Control List • SACL – used for auditing access • DACL – used for defining who has what access on an object • DACL exists of ACEs • Access Control Entries What are ACLs - Terminology
fox-it.com ACLs are hard ???
fox-it.com ACLs are hard (2) ??? ?????
fox-it.com ACLs are hard (3) ??? !!!
fox-it.com • Even some default ACLs are too complex for the UI to display • We can’t realistically expect sysadmins to keep track of ACLs or to fully understand their impact • Especially not if they are inherited or nested • Tooling is needed! ACLs are hard!
fox-it.com • BloodHound 1.3 introduced the ACL update • Makes it easy to identify ACLs • Identify them with SharpHound.exe -c ACL • Not yet supported in BloodHound.py (but work in progress) Mapping ACLs with BloodHound Source: https://wald0.com/?p=112
fox-it.com ACL abuse – case studies
fox-it.com • By default “Exchange Windows Permissions” has wide-reaching privileges in the domain • Including WriteDacl on the Domain object • Allows any Exchange Server to grant DCSync privileges • Effectively: local admin on Exchange Server = Domain Admin Bad ACLs – Case study 1: Exchange Sources: - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf - https://github.com/gdedrouas/Exchange-AD-Privesc - https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
fox-it.com Bad ACLs – Case study 1: Exchange
fox-it.com • No need to run anything on the Exchange server • Just dump hashes of machine account and feed them to aclpwn.py • Aclpwn.py will pass-the-hash and gain privileges • DCSync with secretsdump.py (impacket) Bad ACLs – Case study 1: Exchange
fox-it.com • ADPREP in Server 2016 introduces an “Enterprise Key Admins” group • This group has full control over the Domain object (before v1709) • Allows Account Operators to obtain DCSync privileges Bad ACLs – Case study 2: Enterprise key admins Sources: - https://secureidentity.se/adprep-bug-in-windows-server-2016/ - My lab ☺
fox-it.com Bad ACLs – Case study 2: Enterprise key admins
fox-it.com WriteDacl on Domain object => DCSync privileges
fox-it.com Exploiting ACLs
fox-it.com • PowerSploit (https://github.com/PowerShellMafia/PowerSploit) • Manual exploitation only • Can be confusing if there are multiple steps in the chain • Complex to use with machine accounts or pass-the-hash • Invoke-AclPwn (https://github.com/fox-it/Invoke-ACLPwn) • Automated pathfinding • Parses SharpHound output on host (slow) • Limited scenario’s • Complex to use with machine accounts or pass-the-hash Existing ACL exploitation tools and their limitations
fox-it.com • Direct integration with BloodHound and the Neo4j graph database • Supports any reversible ACL based attack chain • Advanced pathfinding to find the most efficient paths • Support for exploitation with NTLM hashes (pass-the-hash) • Saves restore state, easy rollback of changes • Can be run via a SOCKS tunnel • Written in Python (2.7 and 3.5+), so OS independent aclpwn.py
fox-it.com • Find an exploitation path • Start at a user/computer • End at a group or domain • aclpwn.py finds the most efficient path • Objects are modified to obtain the required access • After action on objectives is achieved, path is walked in reverse and privileges are restored aclpwn.py - the concept
fox-it.com Pathfinding difficulties
fox-it.com • Shortest path is not always the most efficient path • Neo4j counts path length based on number of nodes • If we have the following scenario: • User “test” is member of group A • Group A is member of group B • Group B is member of group C • Group C is member of Domain Admins • AND user “test” has AddMember on Domain Admins • Neo4j will see the path (Test)-[AddMember]->(Domain Admins) as shortest. • Even if user A is effectively already a domain admin Pathfinding with Neo4j
fox-it.com Solution: weighed paths Weight: 0 Weight: 1
fox-it.com • Either calculated manually (faster but less accurate, may miss paths) • Or discovered using the Dijkstra algorithm (slower, but more accurate) • Different weights for different modification parameters Weighed paths
fox-it.com • Shortest only: • Dijkstra: Pathfinding methods
fox-it.com Path is found and validated
fox-it.com Example: escalating from account operators
fox-it.com Example: escalating from account operators
fox-it.com • ForceChangePassword: • We have the right to change the user’s password • Not easily possible to restore afterwards (only with dcshadow or setntlm) • Not supported for now • Solution: split the path, perform password reset manually • WriteOwner: • Seems to be limited to set the owner to your own user • Not possible to restore right now • Needs more investigation Non-supported edges and limitations
fox-it.com • Aclpwn will remember state during exploitation • Possible to restore all operations using --restore option • Different restore strategies Restore operation
fox-it.com Restore example
fox-it.com Defenses
fox-it.com • Audit your ACLs! • Use BloodHound • Remove dangerous ACLs (for example Exchange) • Restrict permission delegation • Admin on Exchange Server => Domain Admin • Admin on Azure AD connect host => Domain Admin • Resetting password of high privilege users => Domain Admin • Managing groups with high privileges => Domain Admin Defending against ACL attacks
fox-it.com • Monitor for ACL changes • Use SACLs to generate events for important object modifications • Use event logging to monitor DACL changes • See: https://blog.fox-it.com/2018/04/26/escalating-privileges-with- acls-in-active-directory/ Defending against ACL attacks
fox-it.com Conclusions
fox-it.com • ACL attacks are still relatively unknown • But present in almost every Active Directory • You don’t need a Domain Admin session to pwn the domain • More tooling will (hopefully) raise awareness for this issue Conclusions
fox-it.com • Online at https://github.com/fox-it/aclpwn.py • Follow me on Twitter to keep up-to-date with my work (@_dirkjan) • I’ll be demo-ing aclpwn.py this afternoon tomorrow morning • Feel free to drop by for any questions! ☺ Get the tools
fox-it.com Dirk-jan Mollema Aclpwn.py – Active Directory ACL exploitation with BloodHound
Ad

Recommended

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
Florian Roth
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Top school in noida
Top school in noidaTop school in noida
Top school in noida
Edhole.com
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
NETWAYS
 
Ad

More Related Content

What's hot (20)

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
Florian Roth
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
Florian Roth
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

Similar to aclpwn - Active Directory ACL exploitation with BloodHound (20)

Top school in noida
Top school in noidaTop school in noida
Top school in noida
Edhole.com
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
NETWAYS
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
NETWAYS
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Data Publication and Discovery with Globus
Data Publication and Discovery with GlobusData Publication and Discovery with Globus
Data Publication and Discovery with Globus
Globus
 
Apache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling UpApache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling Up
Sander Temme
 
Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)
Viral Solani
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
airflow web UI and CLI.pptx
airflow web UI and CLI.pptxairflow web UI and CLI.pptx
airflow web UI and CLI.pptx
VIJAYAPRABAP
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptx
VIJAYAPRABAP
 
Introduction to the Globus PaaS (GlobusWorld Tour - STFC)
Introduction to the Globus PaaS (GlobusWorld Tour - STFC)Introduction to the Globus PaaS (GlobusWorld Tour - STFC)
Introduction to the Globus PaaS (GlobusWorld Tour - STFC)
Globus
 
Leveraging the Globus Platform (GlobusWorld Tour - UCSD)
Leveraging the Globus Platform (GlobusWorld Tour - UCSD)Leveraging the Globus Platform (GlobusWorld Tour - UCSD)
Leveraging the Globus Platform (GlobusWorld Tour - UCSD)
Globus
 
Topic 3-1_More_Linux_Commands.pptx
Topic 3-1_More_Linux_Commands.pptxTopic 3-1_More_Linux_Commands.pptx
Topic 3-1_More_Linux_Commands.pptx
dulala3
 
Airflow presentation
Airflow presentationAirflow presentation
Airflow presentation
Ilias Okacha
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
The Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systemsThe Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systems
Romain Jacotin
 
Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)
Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)
Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)
Globus
 
Solr Recipes
Solr RecipesSolr Recipes
Solr Recipes
Erik Hatcher
 
Introduction to Globus: Research Data Management Software at the ALCF
Introduction to Globus: Research Data Management Software at the ALCFIntroduction to Globus: Research Data Management Software at the ALCF
Introduction to Globus: Research Data Management Software at the ALCF
Globus
 
Top school in noida
Top school in noidaTop school in noida
Top school in noida
Edhole.com
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
NETWAYS
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
NETWAYS
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Data Publication and Discovery with Globus
Data Publication and Discovery with GlobusData Publication and Discovery with Globus
Data Publication and Discovery with Globus
Globus
 
Apache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling UpApache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling Up
Sander Temme
 
Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)Introduction to Laravel Framework (5.2)
Introduction to Laravel Framework (5.2)
Viral Solani
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
airflow web UI and CLI.pptx
airflow web UI and CLI.pptxairflow web UI and CLI.pptx
airflow web UI and CLI.pptx
VIJAYAPRABAP
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptx
VIJAYAPRABAP
 
Introduction to the Globus PaaS (GlobusWorld Tour - STFC)
Introduction to the Globus PaaS (GlobusWorld Tour - STFC)Introduction to the Globus PaaS (GlobusWorld Tour - STFC)
Introduction to the Globus PaaS (GlobusWorld Tour - STFC)
Globus
 
Leveraging the Globus Platform (GlobusWorld Tour - UCSD)
Leveraging the Globus Platform (GlobusWorld Tour - UCSD)Leveraging the Globus Platform (GlobusWorld Tour - UCSD)
Leveraging the Globus Platform (GlobusWorld Tour - UCSD)
Globus
 
Topic 3-1_More_Linux_Commands.pptx
Topic 3-1_More_Linux_Commands.pptxTopic 3-1_More_Linux_Commands.pptx
Topic 3-1_More_Linux_Commands.pptx
dulala3
 
Airflow presentation
Airflow presentationAirflow presentation
Airflow presentation
Ilias Okacha
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
The Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systemsThe Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systems
Romain Jacotin
 
Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)
Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)
Leveraging the Globus Platform (GlobusWorld Tour - Columbia University)
Globus
 
Solr Recipes
Solr RecipesSolr Recipes
Solr Recipes
Erik Hatcher
 
Introduction to Globus: Research Data Management Software at the ALCF
Introduction to Globus: Research Data Management Software at the ALCFIntroduction to Globus: Research Data Management Software at the ALCF
Introduction to Globus: Research Data Management Software at the ALCF
Globus
 
Ad

Recently uploaded (20)

Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Ad

aclpwn - Active Directory ACL exploitation with BloodHound

  • 1. fox-it.com Dirk-jan Mollema @_dirkjan Aclpwn.py – Active Directory ACL exploitation with BloodHound
  • 2. fox-it.com - Lives in The Netherlands - Hacker / Red Teamer / Researcher @ Fox-IT since 2016 - Previously freelance webdeveloper - Author of several Active Directory tools: - mitm6 - ldapdomaindump - BloodHound.py - Co-author of ntlmrelayx - Blogs on dirkjanm.io - Tweets stuff on @_dirkjan Whoami
  • 3. fox-it.com • What are ACLs • Common ACL abuse paths • aclpwn.py concepts • Using aclpwn.py Contents
  • 4. fox-it.com • https://github.com/ANSSI-FR/AD-control-paths (Emmanuel Gras and Lucas Bouillot from ANSSI – 2014) • “An ACE up the Sleeve” – BH USA 2017 (by @_wald0 and @harmj0y) • BloodHound (@_wald0, @harmj0y and @CptJesus) Abusing ACLs – prior work
  • 5. fox-it.com What are ACLs – the short version
  • 6. fox-it.com • In Active Directory, an ACL defines who can do what on an object • Objects: • Users • Groups • Computers • Domain(s) What are ACLs – the short version
  • 7. fox-it.com • Access Control List • SACL – used for auditing access • DACL – used for defining who has what access on an object • DACL exists of ACEs • Access Control Entries What are ACLs - Terminology
  • 9. fox-it.com ACLs are hard (2) ??? ?????
  • 11. fox-it.com • Even some default ACLs are too complex for the UI to display • We can’t realistically expect sysadmins to keep track of ACLs or to fully understand their impact • Especially not if they are inherited or nested • Tooling is needed! ACLs are hard!
  • 12. fox-it.com • BloodHound 1.3 introduced the ACL update • Makes it easy to identify ACLs • Identify them with SharpHound.exe -c ACL • Not yet supported in BloodHound.py (but work in progress) Mapping ACLs with BloodHound Source: https://wald0.com/?p=112
  • 13. fox-it.com ACL abuse – case studies
  • 14. fox-it.com • By default “Exchange Windows Permissions” has wide-reaching privileges in the domain • Including WriteDacl on the Domain object • Allows any Exchange Server to grant DCSync privileges • Effectively: local admin on Exchange Server = Domain Admin Bad ACLs – Case study 1: Exchange Sources: - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf - https://github.com/gdedrouas/Exchange-AD-Privesc - https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
  • 15. fox-it.com Bad ACLs – Case study 1: Exchange
  • 16. fox-it.com • No need to run anything on the Exchange server • Just dump hashes of machine account and feed them to aclpwn.py • Aclpwn.py will pass-the-hash and gain privileges • DCSync with secretsdump.py (impacket) Bad ACLs – Case study 1: Exchange
  • 17. fox-it.com • ADPREP in Server 2016 introduces an “Enterprise Key Admins” group • This group has full control over the Domain object (before v1709) • Allows Account Operators to obtain DCSync privileges Bad ACLs – Case study 2: Enterprise key admins Sources: - https://secureidentity.se/adprep-bug-in-windows-server-2016/ - My lab ☺
  • 18. fox-it.com Bad ACLs – Case study 2: Enterprise key admins
  • 19. fox-it.com WriteDacl on Domain object => DCSync privileges
  • 21. fox-it.com • PowerSploit (https://github.com/PowerShellMafia/PowerSploit) • Manual exploitation only • Can be confusing if there are multiple steps in the chain • Complex to use with machine accounts or pass-the-hash • Invoke-AclPwn (https://github.com/fox-it/Invoke-ACLPwn) • Automated pathfinding • Parses SharpHound output on host (slow) • Limited scenario’s • Complex to use with machine accounts or pass-the-hash Existing ACL exploitation tools and their limitations
  • 22. fox-it.com • Direct integration with BloodHound and the Neo4j graph database • Supports any reversible ACL based attack chain • Advanced pathfinding to find the most efficient paths • Support for exploitation with NTLM hashes (pass-the-hash) • Saves restore state, easy rollback of changes • Can be run via a SOCKS tunnel • Written in Python (2.7 and 3.5+), so OS independent aclpwn.py
  • 23. fox-it.com • Find an exploitation path • Start at a user/computer • End at a group or domain • aclpwn.py finds the most efficient path • Objects are modified to obtain the required access • After action on objectives is achieved, path is walked in reverse and privileges are restored aclpwn.py - the concept
  • 25. fox-it.com • Shortest path is not always the most efficient path • Neo4j counts path length based on number of nodes • If we have the following scenario: • User “test” is member of group A • Group A is member of group B • Group B is member of group C • Group C is member of Domain Admins • AND user “test” has AddMember on Domain Admins • Neo4j will see the path (Test)-[AddMember]->(Domain Admins) as shortest. • Even if user A is effectively already a domain admin Pathfinding with Neo4j
  • 27. fox-it.com • Either calculated manually (faster but less accurate, may miss paths) • Or discovered using the Dijkstra algorithm (slower, but more accurate) • Different weights for different modification parameters Weighed paths
  • 28. fox-it.com • Shortest only: • Dijkstra: Pathfinding methods
  • 29. fox-it.com Path is found and validated
  • 32. fox-it.com • ForceChangePassword: • We have the right to change the user’s password • Not easily possible to restore afterwards (only with dcshadow or setntlm) • Not supported for now • Solution: split the path, perform password reset manually • WriteOwner: • Seems to be limited to set the owner to your own user • Not possible to restore right now • Needs more investigation Non-supported edges and limitations
  • 33. fox-it.com • Aclpwn will remember state during exploitation • Possible to restore all operations using --restore option • Different restore strategies Restore operation
  • 36. fox-it.com • Audit your ACLs! • Use BloodHound • Remove dangerous ACLs (for example Exchange) • Restrict permission delegation • Admin on Exchange Server => Domain Admin • Admin on Azure AD connect host => Domain Admin • Resetting password of high privilege users => Domain Admin • Managing groups with high privileges => Domain Admin Defending against ACL attacks
  • 37. fox-it.com • Monitor for ACL changes • Use SACLs to generate events for important object modifications • Use event logging to monitor DACL changes • See: https://blog.fox-it.com/2018/04/26/escalating-privileges-with- acls-in-active-directory/ Defending against ACL attacks
  • 39. fox-it.com • ACL attacks are still relatively unknown • But present in almost every Active Directory • You don’t need a Domain Admin session to pwn the domain • More tooling will (hopefully) raise awareness for this issue Conclusions
  • 40. fox-it.com • Online at https://github.com/fox-it/aclpwn.py • Follow me on Twitter to keep up-to-date with my work (@_dirkjan) • I’ll be demo-ing aclpwn.py this afternoon tomorrow morning • Feel free to drop by for any questions! ☺ Get the tools
  • 41. fox-it.com Dirk-jan Mollema Aclpwn.py – Active Directory ACL exploitation with BloodHound