Invoke-ACLpwn is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured.
For background information, read the release blog: https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
Invoke-ACLpwn is designed to run with integrated credentials as well as with specified network credentials. The script works by creating an export of all ACLs in the domain with SharpHound as well as the group membership of the user account that the tool is running under. If the user does not already have writeDACL permissions on the domain object, the tool will enumerate all ACEs of the ACL of the domain. Every identity in an ACE has an ACL of its own, which is added to the enumeration queue. If the identity is a group and the group has members, every group member is added to the enumeration queue as well.
It may take some time to calculate and parse every ACL, but could end up with a "chain" that leads to domain administrative privilges in the target domain.
No installation is needed, however, in order to run Invoke-ACLpwn, a few depedencies must be met:
.NET 3.5
or latersharphound.exe
- If you want to run DCsync, you need
mimikatz.exe
as well.
Parameters:
Required parameters:
SharpHoundLocation: location of sharphound.exe
Optional parameters:
Domain : FQDN of the target domain
Username : Username to authenticate with
Password : Password to authenticate with
WhatIf : Displays only the action the script intends to do. No exploitation.
Access as well as potential access will increase if the user account is added
to security groups, so the result of this switch may look incomplete.
NoSecCleanup : By default, the user will be removed from the ACL and the groups that were added during runtime when the script is finished.
Setting this switch will leave that in tact.
NoDCSync : Will not run DCSync after all necessary steps have been taken
userAccountToPwn : User account to retrieve NTLM hash of. Only single user accounts supported now. Defaults to krbtgt account.
logToFile : Switch to write console output to file with the same name as script.
mimiKatzLocation : location of mimikatz.exe
Please note that specifying the mimikatz location is required unless the
-NoDCSync
switch is specified.
Example usage:
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -NoDCSync
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -userAccountToPwn 'Administrator'
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -LogToFile
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -NoSecCleanup
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'
If the -NoSecCleanup
switch is not specified, the script will remove any
permission that was set by the script as well as group memberships.