Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / GenericWrite

Matrix

GenericWrite does not always mean direct takeover. It means we can write attributes, and the useful attack depends on which attributes the object accepts and how the environment uses them.

TargetRequired rightAbuse pathLinux toolingWindows toolingResponse focus
UserGenericWriteModify writable attributes such as SPN, logon script, or Shadow Credentials when allowedbloodyAD, GetUserSPNs.py, certipy shadowPowerView Set-DomainObject, AD moduleClear modified attributes and review Kerberos/service activity
Service accountGenericWriteAdd controlled SPN and Kerberoast, or modify abuse-relevant attributesbloodyAD set object, GetUserSPNs.pyPowerView Set-DomainObjectRemove SPN changes and rotate service credentials if cracked or exposed
ComputerGenericWriteAdd Shadow Credentials or modify delegation-related attributes when writablecertipy shadow, bloodyADPowerView Set-DomainObject, AD moduleClear malicious attributes and review computer TGT activity
GroupGenericWriteModify group attributes; direct member addition depends on WriteMembers or equivalent rightsbloodyAD, LDAP toolingPowerView Set-DomainObjectReview changed attributes and confirm membership was not separately modified
OU/GPO-linked objectGenericWriteModify writable control-plane attributes if delegatedbloodyAD, Impacket LDAP toolingPowerView, AD moduleReview attribute changes and inherited effects