WriteDACL changes the rules before the actual abuse happens. The dangerous event is often the ACE write, followed by a second operation that uses the new permission.
| Target | Required right | Abuse path | Linux tooling | Windows tooling | Response focus |
|---|---|---|---|---|---|
| User | WriteDACL | Grant self GenericAll, reset password, or add Shadow Credentials | dacledit.py, bloodyAD, certipy shadow | PowerView Add-DomainObjectAcl, then PowerView/AD module abuse | Remove added ACEs and undo follow-on changes |
| Group | WriteDACL | Grant self WriteMembers or GenericAll, then add controlled member | dacledit.py, bloodyAD | PowerView Add-DomainObjectAcl, Add-DomainGroupMember | Remove ACE and added group membership |
| Computer | WriteDACL | Grant write over attributes needed for Shadow Credentials or delegation abuse | dacledit.py, certipy shadow | PowerView Add-DomainObjectAcl, Set-DomainObject | Remove ACEs and clear malicious computer attributes |
| OU | WriteDACL | Add inheritable ACEs to control child objects | dacledit.py, LDAP tooling | PowerView Add-DomainObjectAcl with inheritance flags | Remove inherited ACEs and inspect affected child objects |
| Domain object | WriteDACL | Grant replication rights for DCSync when the path is in scope | dacledit.py, secretsdump.py | PowerView Add-DomainObjectAcl | Remove replication ACEs and treat as domain credential exposure |