Overview
AD objects have DACLs (Discretionary Access Control Lists) controlling access. Misconfigured ACLs grant powerful privileges to low-privilege users.Dangerous ACEs
| ACE | Allows |
|---|---|
| GenericAll | Full control over object |
| GenericWrite | Write any property |
| WriteDacl | Modify DACL (grant yourself permissions) |
| WriteOwner | Change object owner |
| ForceChangePassword | Reset user password |
| AddMember | Add member to group |
| AllExtendedRights | Change password, read LAPS, etc. |
Find Dangerous ACLs
PowerView
BloodHound
Edges: GenericAll, WriteDacl, WriteOwner, ForceChangePassword, AddMember.Exploit — GenericAll on User
Reset Password
Set SPN (Targeted Kerberoasting)
Exploit — GenericAll on Group
Exploit — GenericAll on Computer
Exploit — WriteDacl
Grant yourself DCSync rights:Exploit — WriteOwner
Exploit — ForceChangePassword
ACL Persistence
Add Hidden DCSync Rights
Add GenericAll on Domain Admins
Quick Reference
| ACE | Exploit |
|---|---|
| GenericAll (user) | Reset password or targeted kerberoast |
| GenericAll (group) | Add yourself to group |
| WriteDacl | Grant DCSync rights |
| WriteOwner | Take ownership → full control |
| ForceChangePassword | Reset target password |