SD Resolving feature
Using --resolve-sd, you can resolve the security descriptor to obtain a humanly understandable permission set.
Structure
Below is a permission displayed using bloodyAD:
Type: == ALLOWED_OBJECT == # Describe if it's an allow, deny or auditing permission
Trustee: jane.doe # Subject able to use the permission
Right: WRITE_DACL # Type of right the trustee can use
ObjectType: Self # Type of object it applies (Self is a bloodyAD notation to refer to the SD's object)
InheritedObjectType: account # Which type of object inherit this permission
Flags: INHERIT_ONLY|CONTAINER_INHERIT # Specify special behavior
Merging
A security descriptor contains an Access Control List (ACL) composed with Access Control Entries (ACE), each containing a permission description. If ACEs can be, they will be merged in the output to help the reader.
Resolving
Trustees' SID and Objects/Rights's GUID are resolved using a dictionary of constants and by querying the Active Directory. It doesn't support resolving forest/trust SIDs for the moment. If a User/Computer/Group had direct (not inherited) permissions on an object and it is deleted, the SID will not resolve (need Administrative rights to see deleted objects).
Constant Names
Constant names outputted tend to be as close as possible from original names while trying to be more concise and less confusing. When a set of constants is equivalent to another constant, only this constant will be outputted (e.g GENERIC_ALL={all permissions except SYNCHRONIZE and ACCESS_SYSTEM_SECURITY}). Below is a list of the constant names used and their official Microsoft name and meaning.
Rights
| bloodyAD names | Official AD names | Description |
|---|---|---|
| CREATE_CHILD | RIGHT_DS_CREATE_CHILD | Create child objects of the object |
| DELETE_CHILD | RIGHT_DS_DELETE_CHILD | Delete child objects of the object |
| DELETE_TREE | RIGHT_DS_DELETE_TREE | Delete object and its subtree using Delete-Tree operation (LDAP_SERVER_TREE_DELETE_OID) |
| LIST_CHILD | RIGHT_DS_LIST_CONTENT | If not set, user can't see child objects but can see grand child objects if set on a child object |
| LIST_OBJECT | RIGHT_DS_LIST_OBJECT | If both set on parent and object, makes object visible even if LIST_CHILD not set. Works only if dSHeuristics third bit sets to 1 |
| READ_PROP | RIGHT_DS_READ_PROPERTY | Read object properties (SD not included) |
| READ_SD | RIGHT_READ_CONTROL | Read Security Descriptor (SACL not included) |
| WRITE_VALIDATED | RIGHT_DS_WRITE_PROPERTY_EXTENDED | Write only validated attributes (see Validated Writes) |
| WRITE_PROP | RIGHT_DS_WRITE_PROPERTY | Write properties (SD not included) |
| WRITE_DACL | RIGHT_WRITE_DAC | Modify SD DACL a.k.a object permissions |
| WRITE_OWNER | RIGHT_WRITE_OWNER | Set self as owner (can't set others as owners) |
| DELETE | RIGHT_DELETE | Delete object |
| CONTROL_ACCESS | RIGHT_DS_CONTROL_ACCESS | Performing special right described in ACE object type |
| GENERIC_EXECUTE | RIGHT_GENERIC_EXECUTE | READ_SD and LIST_CHILD |
| GENERIC_READ | RIGHT_GENERIC_READ | READ_SD and READ_PROP and LIST_OBJECT and LIST_CHILD |
| GENERIC_WRITE | RIGHT_GENERIC_WRITE | READ_SD and WRITE_PROP and WRITE_VALIDATED |
| GENERIC_ALL | RIGHT_GENERIC_ALL | All permissions except ACCESS_SYSTEM_SECURITY and SYNCHRONIZE |
| ACCESS_SYSTEM_SECURITY | Controls the ability to get or set the SACL | |
| SYNCHRONIZE | Used for concurrent file access |
More info: [MS-ADTS] - 5.1.3.2
Property Sets
A property set consists of a set of related attributes. An attribute whose attributeSchema object has a value for the attributeSecurityGUID attribute belongs to that property set; the property set is identified by the property set GUID, which is the attributeSecurityGUID value. A property set GUID can be used instead of the schemaIDGUID of an attribute when defining a security descriptor to grant or deny access to all attributes in one
access control entry (ACE).
| Property Set | Attributes |
|---|---|
| Domain-Password | lockOutObservationWindow, lockoutDuration, lockoutThreshold, maxPwdAge, minPwdAge, minPwdLength, pwdHistoryLength, pwdProperties |
| General-Information | comment, uid, sIDHistory, showInAdvancedViewOnly, sDRightsEffective, sAMAccountType, sAMAccountName, primaryGroupID, objectSid, displayName, countryCode, codePage, adminDescription |
| Account-Restrictions | msDS-AllowedToActOnBehalfOfOtherIdentity, userParameters, userAccountControl, pwdLastSet, msDS-UserPasswordExpiryTimeComputed, msDS-User-Account-Control-Computed, accountExpires |
| Logon-Information | userWorkstations, scriptPath, profilePath, logonWorkstation, logonHours, logonCount, lastLogonTimestamp, lastLogon, lastLogoff, homeDrive, homeDirectory, badPwdCount |
| Group-Membership | member, memberOf |
| Phone-and-Mail-Options | |
| Personal-Information | msDS-ExternalDirectoryObjectId, msDS-cloudExtensionAttribute20, msDS-cloudExtensionAttribute19, msDS-cloudExtensionAttribute18, msDS-cloudExtensionAttribute17, msDS-cloudExtensionAttribute16, msDS-cloudExtensionAttribute15, msDS-cloudExtensionAttribute14, msDS-cloudExtensionAttribute13, msDS-cloudExtensionAttribute12, msDS-cloudExtensionAttribute11, msDS-cloudExtensionAttribute10, msDS-cloudExtensionAttribute9, msDS-cloudExtensionAttribute8, msDS-cloudExtensionAttribute7, msDS-cloudExtensionAttribute6, msDS-cloudExtensionAttribute5, msDS-cloudExtensionAttribute4, msDS-cloudExtensionAttribute3, msDS-cloudExtensionAttribute2, msDS-cloudExtensionAttribute1, msDS-GeoCoordinatesLongitude, msDS-GeoCoordinatesLatitude, msDS-GeoCoordinatesAltitude, userCertificate, x121Address, userSMIMECertificate, userSharedFolderOther, userSharedFolder, userCert, primaryTelexNumber, telexNumber, teletexTerminalIdentifier, telephoneNumber, street, st, registeredAddress, preferredDeliveryMethod, postalCode, postalAddress, postOfficeBox, thumbnailPhoto, physicalDeliveryOfficeName, pager, otherPager, otherTelephone, mobile, otherMobile, primaryInternationalISDNNumber, ipPhone, otherIpPhone, homePhone, otherHomePhone, otherFacsimileTelephoneNumber, personalTitle, mSMQSignCertificates, mSMQDigests, msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon, msDS-FailedInteractiveLogonCount, msDS-LastFailedInteractiveLogonTime, msDS-LastSuccessfulInteractiveLogonTime, msDS-SupportedEncryptionTypes, msDS-HostServiceAccount, l, internationalISDNNumber, facsimileTelephoneNumber, c, info, assistant, homePostalAddress, streetAddress |
| Web-Information | url, wWWHomePage |
| Public-Information | userPrincipalName, title, co, systemFlags, sn, showInAddressBook, servicePrincipalName, directReports, name, proxyAddresses, otherMailbox, ou, o, objectGUID, objectClass, objectCategory, distinguishedName, msDS-SourceObjectDN, msDS-HABSeniorityIndex, msDS-PhoneticDisplayName, msDS-PhoneticCompanyName, msDS-PhoneticDepartment, msDS-PhoneticLastName, msDS-PhoneticFirstName, msDS-Approx-Immed-Subordinates, msDS-Auxiliary-Classes, msDS-AllowedToDelegateTo, manager, legacyExchangeDN, initials, givenName, mail, division, displayNamePrintable, description, department, company, cn, altSecurityIdentities, allowedChildClassesEffective, allowedChildClasses, allowedAttributesEffective, allowedAttributes, notes |
| Remote-Access-Information | tokenGroupsNoGCAcceptable, tokenGroupsGlobalAndUniversal, tokenGroups, msRADIUSServiceType, msRADIUSFramedRoute, msRADIUSFramedIPAddress, msRADIUSCallbackNumber, msNPCallingStationID, msNPAllowDialin, msds-tokenGroupNamesNoGCAcceptable, msds-tokenGroupNamesGlobalAndUniversal, msds-tokenGroupNames |
| Other-Domain-Parameters | uASCompat, serverState, serverRole, oEMInformation, modifiedCount, forceLogoff, domainReplica |
| DNS-Host-Name-Attributes | msDS-AdditionalDnsHostName, dNSHostName |
| MS-TS-GatewayAccess | |
| Private-Information | msPKIAccountCredentials , msPKIDPAPIMasterKeys, msPKIRoamingTimeStamp, msPKI-CredentialRoamingTokens |
| Terminal-Server-License-Server | msTSManagingLS4, msTSManagingLS3, msTSManagingLS2, msTSManagingLS, msTSLicenseVersion4, msTSLicenseVersion3, msTSLicenseVersion2, msTSLicenseVersion, msTSExpireDate4, msTSExpireDate3, msTSExpireDate2, msTSExpireDate, terminalServer |
More info: [MS-ADTS] - 3.1.1.2.3.3
Validated Writes
If you have a validated write right on an object's attribute it means you have additional constraints on the value you can write on it. Below the list of validated writes:
| Validated write | Description |
| --------------- | ------------ |
| Self-Membership | Add/Remove oneself from group (member attribute) |
| Validated-DNS-Host-Name | The value of the dNSHostName attribute being written is in the format computerName.fullDomainDnsName, where computerName is the current sAMAccountName of the object (without the final "$" character), and the fullDomainDnsName is the DNS name of the domain NC or one of the values of msDS-AllowedDNSSuffixes on the domain NC (if any) where the object that is being modified is located |
| Validated-MS-DS-Additional-DNS-Host-Name | The value of the msDS-AdditionalDnsHostName attribute being written is in in the format: anyDnsLabel.suffix, where anyDnsLabel is a valid DNS name label, and suffix matches one of the values of msDS-AllowedDNSSuffixes on the domain NC root (if any) |
| Validated-MS-DS-Behavior-Version | it is allowed that an RODC itself can update the msDS-Behavior-Version attribute of its nTDSDSA object on a writable DC |
| Validated-SPN | see [MS-ADTS] - 3.1.1.5.3.1.1.4 |
More info: [MS-ADTS] - 5.1.3.2.2
Controls
bloodyAD names are official names with ADS_SD_CONTROL_SE_ prefix removed for clarity.
| bloodyAD names | Description |
|---|---|
| DACL_PRESENT | SD contains DACL (ACL containing permissions) |
| SACL_PRESENT | SD contains SACL (ACL containing audit rules) |
| DACL_AUTO_INHERITED | DACL supports automatic propagation of inheritable ACEs to child objects |
| SACL_AUTO_INHERITED | SACL supports automatic propagation of inheritable ACEs to child objects |
| SE_DACL_PROTECTED | Protects the DACL of the security descriptor from being modified by inheritable ACEs |
| SE_SACL_PROTECTED | Protects the SACL of the security descriptor from being modified by inheritable ACEs |
-- Not important flags --
| bloodyAD names | Description |
|---|---|
| GROUP_DEFAULTED | Group SID was generated by a default mechanism |
| OWNER_DEFAULTED | Owner SID was generated by a default mechanism |
| DACL_DEFAULTED | SD uses a default DACL built from creator's access token |
| SACL_DEFAULTED | SD uses a default SACL built from creator's access token |
| DACL_AUTO_INHERIT_REQ | Tells to permission provider to propagate DACL to child objects if inheritance requirements are fulfilled |
| SACL_AUTO_INHERIT_REQ | Tells to permission provider to propagate DACL to child objects if inheritance requirements are fulfilled |
| SELF_RELATIVE | SD is in a self-relative format |
More info: https://learn.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_sd_control_enum
ACE Flags
bloodyAD names are official names with _ACE and _ACE_FLAG suffix removed for clarity.
| bloodyAD names | Description |
|---|---|
| CONTAINER_INHERIT | Child objects which are containers (e.g. Organizational Unit) will inherit this ACE |
| OBJECT_INHERIT | Child objects which are not containers (e.g. computers) will inherit this ACE |
| NO_PROPAGATE_INHERIT | Disable INHERIT_ flags effect |
| INHERIT_ONLY_ACE | Apply ACE only on child not current object |
| INHERITED_ACE | ACE inherited from parent |
| SUCCESSFUL_ACCESS | Generate success access attempts messages to provider(for audit ACEs only) |
| FAILED_ACCESS | Generate fail access attempts messages to provider (for audit ACEs only) |
More info: [MS-DTYP] - 2.4.4.1
ACE Types
bloodyAD names are official names with ACCESS_ prefix and _ACE_TYPE suffix removed for clarity.
Constant names are self-explanatory.
More info: [MS-DTYP] - 2.4.4.1
Note
Null DACL in SD means everyone has all permissions. Empty DACL means no one has permissions.
More info: [MS-ADTS] - 5.1.3.3.1