WriteOwner is usually a two-step path. Ownership gives control over the object's DACL, then the DACL is modified to grant the permission needed for the real operation.
| Target | Required right | Abuse path | Linux tooling | Windows tooling | Response focus |
|---|---|---|---|---|---|
| User | WriteOwner | Take ownership, grant GenericAll, then reset password or add Shadow Credentials | owneredit.py, dacledit.py, bloodyAD, certipy shadow | PowerView Set-DomainObjectOwner, Add-DomainObjectAcl | Restore owner, remove ACEs, undo account changes |
| Group | WriteOwner | Take ownership, grant WriteMembers or GenericAll, add controlled member | owneredit.py, dacledit.py, bloodyAD | PowerView owner and ACL functions | Restore owner, remove ACEs, remove membership |
| Computer | WriteOwner | Take ownership, grant write rights, then abuse Shadow Credentials or delegation attributes | owneredit.py, dacledit.py, certipy shadow | PowerView Set-DomainObjectOwner, Add-DomainObjectAcl | Restore owner, remove ACEs, clear malicious attributes |
| OU | WriteOwner | Take ownership, grant control, then alter inherited permissions | owneredit.py, dacledit.py | PowerView owner and ACL functions | Restore owner and review inherited ACE impact |
| GPO | WriteOwner | Take ownership, grant edit rights, modify linked policy content | owneredit.py, dacledit.py, GPO tooling | PowerView/GPMC/native tooling | Restore owner, remove ACEs, restore GPO content |