Two types of ACLs:

• DACL (Discretionary Access Control List) defined which security principals are granted or denied access to an object.
• SACL (System Access Control Lists) allow admins to log acccess attemps made to secured objects

Three main types of ACEs:

• Access denied ACE: Explicitly denied
• Access allowed ACE: Expliciltly granted
• System audit ACE: Generate logs when a user attempts access to an object.

Dangerous AD ACEs:

• ForceChangePassword abused with Set-DomainUserPassword
• Add Members abused with Add-DomainGroupMember
• GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember
• GenericWrite abused with Set-DomainObject
• WriteOwner abused with Set-DomainObjectOwner
• WriteDACL abused with Add-DomainObjectACL
• AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember
• AddSelf abused with Add-DomainGroupMember