Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there an extract of permissions & rights captured by ADACLScan.ps1 (with their criticality levels)? #43

Open
jamesplucas opened this issue Aug 26, 2021 · 2 comments
Open

Is there an extract of permissions & rights captured by ADACLScan.ps1 (with their criticality levels)? #43

jamesplucas opened this issue Aug 26, 2021 · 2 comments

Comments

@jamesplucas
Copy link

I am running ADACLScan.ps1 version 6.8 to uncover AD groups with Critical, Warning & Medium permissions & rights that are not already being reviewed as built-in groups.
The auditors are asking me to justify use of ADACLScan.ps1. They want to know what permissions are identified and why the criticality Level rates them as Critical, Warning & Medium. Why am I excluding Low criticality permissions?
Is there an extract of permissions & rights captured by ADACLScan.ps1 (with their criticality levels)?
If so, I could then refer the auditors to the Microsoft descriptions, such as
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=net-5.0
Examples of what I am looking for are:
"Create Object"="Warning";
"Read permissions, Modify permissions" {$intCriticalityLevel = 4 }

Reload SSL/TLS Certificate = "1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8" {$intCriticalityLevel = 4}

Web-Information = 2 "E45795B3-9455-11d1-AEBD-0000F80367C1" { # If it SELF then = 1

if($objIdentity -eq "NT AUTHORITY\SELF"){$intCriticalityLevel = 1 else {$intCriticalityLevel = 2}}
@canix1
Copy link
Owner

canix1 commented Aug 27, 2021

There is no written rational behind the severity levels, even though I have one. That's something I maybe should publish. What I have is a listing on what is categorized for each level. The criticality is not an absolute since it always depends on what object/attribute is affected by one ACE. In the UI Assessment tab/View Color Legend I have listed the severity with different rights.
ADACLScan lists all ACE's that the .Net GetAccessRules can understand, Fact; There are broken/invalid ACE's that GetAccessRule can't read.. not even windows. See the severity as a helping function to determine the level of access because there is not a direct relation with the risk for a certain organization. That is for you as a security review/researcher to understand.

@canix1
Copy link
Owner

canix1 commented Aug 27, 2021
edited
Loading

This one:
if($objIdentity -eq "NT AUTHORITY\SELF"){$intCriticalityLevel = 1 else {$intCriticalityLevel = 2}}
If you have write "Web-Information" on your own object (your security principal) it is marked as "Low" if it's write on an other object it's marked as "Medium".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@canix1 @jamesplucas