Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / WriteOwner

Matrix

WriteOwner is usually a two-step path. Ownership gives control over the object's DACL, then the DACL is modified to grant the permission needed for the real operation.

TargetRequired rightAbuse pathLinux toolingWindows toolingResponse focus
UserWriteOwnerTake ownership, grant GenericAll, then reset password or add Shadow Credentialsowneredit.py, dacledit.py, bloodyAD, certipy shadowPowerView Set-DomainObjectOwner, Add-DomainObjectAclRestore owner, remove ACEs, undo account changes
GroupWriteOwnerTake ownership, grant WriteMembers or GenericAll, add controlled memberowneredit.py, dacledit.py, bloodyADPowerView owner and ACL functionsRestore owner, remove ACEs, remove membership
ComputerWriteOwnerTake ownership, grant write rights, then abuse Shadow Credentials or delegation attributesowneredit.py, dacledit.py, certipy shadowPowerView Set-DomainObjectOwner, Add-DomainObjectAclRestore owner, remove ACEs, clear malicious attributes
OUWriteOwnerTake ownership, grant control, then alter inherited permissionsowneredit.py, dacledit.pyPowerView owner and ACL functionsRestore owner and review inherited ACE impact
GPOWriteOwnerTake ownership, grant edit rights, modify linked policy contentowneredit.py, dacledit.py, GPO toolingPowerView/GPMC/native toolingRestore owner, remove ACEs, restore GPO content