Foreign ACL Principals

Foreign ACL Pricipals are users or groups in the child domain that have rights over ACLs (GenericAll, WriteDacl and so on) in the parent domain.

To enumerate these users we can use PowerView, BloodHound or any other ACL visualization tool.

Import-Module .\PowerView.ps1
$sid = Convert-NameToSid otter
Get-DomainObjectAcl -ResolveGUIDs -Identity * -domain domain.com | ? {$_.SecurityIdentifier -eq $sid}

AceType               : AccessAllowed
ObjectDN              : CN=SomeGroup,CN=Users,DC=DOMAIN,DC=COM
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-2879935145-656083549-3766571964-2110
InheritanceFlags      : None
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2901893446-2198612369-2488268719-2103
AccessMask            : 983551
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed  

This dummy output shows how the otter user has GenericAll over the SomeGroup group in the parent domain. From this position we could, for example, add otter to SomeGroup and abuse the permissions of that group to move further in the domain.

The following is a snipped of PowerShell code that can enumerate all foreign ACL rights from a child domain to a parent one.

$Domain = "domain.com"
$DomainSid = Get-DomainSid $Domain

Get-DomainObjectAcl -Domain $Domain -ResolveGUIDs -Identity * | Where-Object { 
    ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner') -and `
    ($_.AceType -match 'AccessAllowed') -and `
    ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and `
    ($_.SecurityIdentifier -notmatch $DomainSid)
} | ForEach-Object {
    $convertedSid = ConvertFrom-Sid $_.SecurityIdentifier
    Write-Host "User: $convertedSid"
    $_
}

Now we can run it with

Import-Module .\PowerView.ps1
.\getAllForeignAcls.ps1

and look for interesting permissions to abuse.