Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / WriteOwner

Response

WriteOwner cleanup has three parts: restore the owner, remove the ACE added after ownership was taken, and undo the final abuse action.

Restore the owner:

Set-DomainObjectOwner -TargetIdentity 'svc_web' -OwnerIdentity 'Domain Admins'
Set-DomainObjectOwner -TargetIdentity 'ACL Operators' -OwnerIdentity 'Domain Admins'

Remove the added ACE:

dsacls "CN=Web Service,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
dsacls "CN=ACL Operators,OU=Groups,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"

Remove added membership:

Remove-ADGroupMember -Identity 'ACL Operators' -Members 'alice.wright' -Confirm:$false

Cleanup ownership is safest when the original owner was recorded before the abuse. If it was not recorded, roll back the lab snapshot.

Events:

4670 - Permissions on an object were changed
4662 - Operation performed on object
5136 - Directory object modified
4728 / 4732 - Group membership changes after ownership takeover
4724 - Password reset after ownership takeover

Hunt for:

owner changes on users, groups, computers, OUs, or GPOs
owner change followed by DACL change
DACL change followed by password reset or group modification

Remediation:

  • remove unnecessary WriteOwner rights
  • monitor ownership changes on sensitive objects
  • record and review privileged object owners
  • protect admin objects from inherited delegation mistakes
  • run regular BloodHound or ACL review for WriteOwner edges