Invoke-ACLPwn
Automates the discovery and pwnage of ACLs in Active Directory that are unsafe configure.
Invoke-ACLpwn is designed to run with integrated credentials as well as with specified network credentials. The script works by creating an export of all ACLs in the domain with SharpHound as well as the group membership of the user account that the tool is running under. If the user does not already have writeDACL permissions on the domain object, the tool will enumerate all ACEs of the ACL of the domain. Every identity in an ACE has an ACL of its own, which is added to the enumeration queue. If the identity is a group and the group has members, every group member is added to the enumeration queue as well.
It may take some time to calculate and parse every ACL, but could end up with a "chain" that leads to domain administrative privilges in the target domain.