So let’s say, we connect to one of the AD named “plum”, available at 192.168.3.215 as shown in the screenshot below. When you run a powershell script from ADACLScanner you are greeted with a nice GUI (one of the rare tools in powershell with a nice GUI). We will explain this process with the help of an example below:
We can repurpose this tool to perform the tasks of AD delegation hunting. This tool is written by canix1 and is useful for generic ACL scanning. Using Custom Powershell Script by NSS (Fully Automated).Using AD ACLScanner (Semi Automated) and.To achieve that, we will use two different approaches: This local admin access allows us to run unrestricted powershell scripts however we would require the domain login to perform enumeration on the AD domain.We have a compromised local admin access on a domain joined machine.We have previously compromised a low privilege domain user with severe restrictions such as powershell execution disabled via AppLocker.
Today, we are going to look at other possible options to hunt for these delegations across a network in an (semi-)automated manner via scripts. Another article which can be found here covered multiple other tools which can help in such manual analysis. This capability, if miss-configured, can become a major reason for AD compromise.Įarlier we only talked about manual analysis for finding such delegations. To summarize, Active Directory has a capability to delegate certain rights to non (domain/forest/enterprise) admin users to perform administrative tasks over a specific section of AD. Active Directory (AD) delegation is a fascinating subject, and we have previously discussed it in a blog post and later in a webinar.
0 kommentar(er)
