Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / WriteOwner

Information

WriteOwner allows changing the owner of the target AD object. Object ownership matters because the owner can normally modify the object's DACL, even if they do not already have the final abuse right.

The usual chain is:

WriteOwner -> set attacker as owner -> modify DACL -> grant useful right -> abuse target

In BloodHound this appears as:

ATTACKER --WriteOwner--> TARGET

The important detail is that ownership alone is not the final goal. Ownership lets us change permissions. After we change permissions, we perform the same abuse as GenericAll, WriteDACL, AddMember, or ForceChangePassword, depending on the target.

WriteOwner is therefore a chaining primitive. If the target is a user, we take ownership, grant ourselves control, and reset the password or add Shadow Credentials. If the target is a group, we take ownership, grant member-write rights, and add a controlled member. If the target is an OU or GPO, ownership can become a broader control-plane issue because the next DACL change may affect many systems.