ACL

For now don't know any methods from enumerating ACL's from Linux except BloodHound and PowerView, so yeah. No Windows / Linux sections here.

PowerView

PS C:\> Import-Module .\PowerView.ps1

Object

Get Info About an AD Object

PS C:\> $sid = Convert-NameToSid sreed
PS C:\> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} -Verbose

This commands works like this. In $sid we put sid of an object we want to know more about (doesn't matter if this user or group).

  • Get-DomainObjectACL - Identity * retrieves all ACL's about all objects in AD. But we pipe this to command which filters our user mention to get info about ACL's related to our object.

  • -ResolveGUIDs parameter is for explaining what this GUID stands for.

Users

Dump all AD usernames into a file

PS C:\> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

Which users OUR user has access over

PS C:\> foreach($line in [System.IO.File]::ReadLines("C:\Path\To\ad_users.txt")) {get-acl  "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'MILITECH\\sreed'}}

Groups

Check Nested Groups

PS C:\> Get-DomainGroup -Identity "group" | select memberof

GUID

Resolve GUID to human-readable permission name

PS C:\> $guid= "00299570-246d-11d0-a768-00aa006e0529"
PS C:\> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl
PreviousTrustsNextMovement