Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / WriteDACL

Information

WriteDACL allows us to modify the target object's discretionary access control list. In practical terms, this means we can change who has permissions over the object.

This is one of the most important Active Directory ACL abuses because it does not need to grant immediate control by itself. Instead, it lets us grant ourselves the right we actually want, then perform the follow-on abuse.

The normal chain is:

WriteDACL -> add attacker-controlled ACE -> gain useful right -> abuse target

In BloodHound this appears as:

ATTACKER --WriteDACL--> TARGET

An ACE is an access control entry. It is one rule inside an object's ACL. With WriteDACL, we add or modify an ACE so that our user, group, or computer account receives a useful permission over the target.

The right we grant depends on the target:

user object    -> grant ResetPassword, GenericAll, or WriteProperty
group object   -> grant WriteMembers or GenericAll
computer       -> grant GenericAll or WriteProperty for Shadow Credentials / delegation paths
OU             -> grant inheritable control over child objects
domain object  -> grant replication rights for DCSync

This is why WriteDACL is more dangerous than it first looks. The original permission is "only" permission editing, but permission editing lets us manufacture the next permission. A low-noise attacker usually grants the smallest right needed for the objective. A fast attacker may grant GenericAll and move immediately.

Inheritance matters. If WriteDACL applies to an OU, an attacker may add inheritable ACEs that flow down to users, groups, or computers inside that OU. In that case, the dangerous change may not be visible by inspecting only one child object. We inspect both the parent OU and the affected child objects.

WriteDACL also has a domain-level version. If the target is the domain object itself, an attacker can grant replication rights and perform DCSync. That is a full domain compromise path because DCSync can retrieve password material for privileged accounts, including krbtgt.

The operational flow is consistent: read the current ACL, add the precise ACE, abuse the new right, then remove the ACE and undo the follow-on change.