Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / GenericAll

Response

GenericAll cleanup depends on the target type and the abuse path used. GenericAll is not one action, so response cannot be one action either. We identify what was changed, restore that object, and then remove the unnecessary Full Control delegation that made the abuse possible.

User Target

If the user password was reset during the lab, restore the lab password or force a new controlled reset.

$Password = ConvertTo-SecureString 'WebService2026!' -AsPlainText -Force
Set-ADAccountPassword -Identity 'svc_web' -Reset -NewPassword $Password

If Shadow Credentials were used, clear the rogue key credential material.

certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account svc_web -dc-ip 10.10.10.200

Review the user object:

Get-ADUser svc_web -Properties servicePrincipalName,msDS-KeyCredentialLink,scriptPath,adminCount,memberOf

Group Target

If a controlled account was added to a group, remove it.

Remove-ADGroupMember -Identity 'TARGET GROUP' -Members 'alice.wright' -Confirm:$false
Get-ADGroupMember -Identity 'TARGET GROUP'

Computer Target

If Shadow Credentials were used against a computer account, clear the rogue key credential material.

certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account 'TARGETCOMPUTER$' -dc-ip 10.10.10.200

If RBCD was written, clear the delegation attribute.

Set-ADComputer -Identity 'TARGETCOMPUTER' -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity'
Get-ADComputer -Identity 'TARGETCOMPUTER' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,msDS-KeyCredentialLink

OU or GPO Target

If GenericAll was used against an OU or GPO, inspect both the AD object and the downstream effect. The dangerous change may be inherited ACEs, a linked GPO, or modified policy content in SYSVOL.

Get-ADOrganizationalUnit -Identity 'OU=Servers,OU=OOTW Lab,DC=ootw,DC=local' -Properties nTSecurityDescriptor
Get-GPO -All | Where-Object DisplayName -like '*OOTW*'

Review SYSVOL changes from the DC:

Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse |
    Sort-Object LastWriteTime -Descending |
    Select-Object -First 20 FullName,LastWriteTime

Remove Excessive Delegation

If GenericAll was intentionally assigned for the lab, remove it after the exercise. If it was discovered in an environment, treat it as a privilege escalation path and remove the delegation through change control.

dsacls "CN=Web Service,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
dsacls "CN=ACL Operators,OU=Groups,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"

Events:

4670 - Permissions on an object were changed
4662 - Operation performed on object
4738 - User account changed
4742 - Computer account changed
4724 - Password reset
4728 / 4732 / 4756 - Group membership change
5136 - Directory object modified
4768 - PKINIT TGT after Shadow Credentials

High-fidelity indicators:

GenericAll granted to a non-admin principal
password reset shortly after a GenericAll edge becomes usable
group membership change performed by a delegated non-owner account
msDS-KeyCredentialLink written to a user or computer
msDS-AllowedToActOnBehalfOfOtherIdentity written to a workstation or server
GPO or SYSVOL content modified after an ACL change

Remediation:

  • remove unnecessary GenericAll rights
  • avoid broad Full Control delegation to operational groups
  • prefer task-specific rights over GenericAll
  • monitor sensitive users, groups, computers, OUs, and GPOs for DACL changes
  • protect privileged objects from inherited ACL mistakes
  • review BloodHound GenericAll edges regularly