Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / WriteDACL

Matrix

WriteDACL changes the rules before the actual abuse happens. The dangerous event is often the ACE write, followed by a second operation that uses the new permission.

TargetRequired rightAbuse pathLinux toolingWindows toolingResponse focus
UserWriteDACLGrant self GenericAll, reset password, or add Shadow Credentialsdacledit.py, bloodyAD, certipy shadowPowerView Add-DomainObjectAcl, then PowerView/AD module abuseRemove added ACEs and undo follow-on changes
GroupWriteDACLGrant self WriteMembers or GenericAll, then add controlled memberdacledit.py, bloodyADPowerView Add-DomainObjectAcl, Add-DomainGroupMemberRemove ACE and added group membership
ComputerWriteDACLGrant write over attributes needed for Shadow Credentials or delegation abusedacledit.py, certipy shadowPowerView Add-DomainObjectAcl, Set-DomainObjectRemove ACEs and clear malicious computer attributes
OUWriteDACLAdd inheritable ACEs to control child objectsdacledit.py, LDAP toolingPowerView Add-DomainObjectAcl with inheritance flagsRemove inherited ACEs and inspect affected child objects
Domain objectWriteDACLGrant replication rights for DCSync when the path is in scopedacledit.py, secretsdump.pyPowerView Add-DomainObjectAclRemove replication ACEs and treat as domain credential exposure