Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / GenericWrite

Response

GenericWrite cleanup depends on which attribute was modified. Do not blindly clear attributes on real accounts. Capture the current value, compare it with known-good state, and remove only the malicious value.

Remove a fake SPN with the AD module:

Set-ADUser -Identity 'svc_web' -ServicePrincipalNames @{Remove='ootw/fake'}

If PowerView was used and the account originally had no SPNs:

Set-DomainObject -Identity 'svc_web' -Clear servicePrincipalName

Clear a malicious logon script:

Set-DomainObject -Identity 'svc_web' -Clear scriptPath

Clear Shadow Credentials with the same tooling used to add them:

certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account svc_web -dc-ip 10.10.10.200

Clear RBCD from a computer object:

Set-DomainObject -Identity 'TARGETCOMPUTER$' -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity'

Review:

Get-ADUser svc_web -Properties servicePrincipalName,msDS-KeyCredentialLink,scriptPath
Get-ADComputer TARGETCOMPUTER -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

Events:

5136 - servicePrincipalName changed
5136 - msDS-KeyCredentialLink changed
5136 - msDS-AllowedToActOnBehalfOfOtherIdentity changed
4738 - User account changed
4742 - Computer account changed
4769 - Service ticket requested after fake SPN
4768 - PKINIT TGT after Shadow Credentials

High-fidelity indicators:

temporary SPN added then removed
SPN that does not match real service naming
msDS-KeyCredentialLink write on a user or computer
msDS-AllowedToActOnBehalfOfOtherIdentity write on a workstation or server
scriptPath set on an account that did not previously use logon scripts

Remediation:

  • remove unnecessary GenericWrite rights
  • alert on SPN changes
  • alert on msDS-KeyCredentialLink changes
  • alert on RBCD attribute changes
  • use gMSA/MSA instead of weak human-managed service accounts
  • review delegated write permissions regularly