GenericWrite does not always mean direct takeover. It means we can write attributes, and the useful attack depends on which attributes the object accepts and how the environment uses them.
| Target | Required right | Abuse path | Linux tooling | Windows tooling | Response focus |
|---|---|---|---|---|---|
| User | GenericWrite | Modify writable attributes such as SPN, logon script, or Shadow Credentials when allowed | bloodyAD, GetUserSPNs.py, certipy shadow | PowerView Set-DomainObject, AD module | Clear modified attributes and review Kerberos/service activity |
| Service account | GenericWrite | Add controlled SPN and Kerberoast, or modify abuse-relevant attributes | bloodyAD set object, GetUserSPNs.py | PowerView Set-DomainObject | Remove SPN changes and rotate service credentials if cracked or exposed |
| Computer | GenericWrite | Add Shadow Credentials or modify delegation-related attributes when writable | certipy shadow, bloodyAD | PowerView Set-DomainObject, AD module | Clear malicious attributes and review computer TGT activity |
| Group | GenericWrite | Modify group attributes; direct member addition depends on WriteMembers or equivalent rights | bloodyAD, LDAP tooling | PowerView Set-DomainObject | Review changed attributes and confirm membership was not separately modified |
| OU/GPO-linked object | GenericWrite | Modify writable control-plane attributes if delegated | bloodyAD, Impacket LDAP tooling | PowerView, AD module | Review attribute changes and inherited effects |