Pwning the Domain: DACL Abuse

Pwning the Domain: DACL Abuse

Read In This Article

DACL abuse is about taking advantage of the DACL that is assigned to us on any object that we can abuse. Some mischief that can be done may be changing a user’s password, adding yourself to a group like Domain Admins, granting yourself full control over an object and many more. DACL abuse can be used to escalate our privileges or maintain persistence in the Domain realm.


You get WriteDACL permission when you have ‘Read Permission’ and ‘Write Permission’ over an object:

For example in this scenario we have these permissions set on object ‘trinity’. To verify that we indeed have the WriteDACL permission, we can use powershell:

Indeed we have WriteDACL permission over object ‘trinity’. Next thing we can do is to grant ourselves full control over this object because we still don’t have that permission, we only have permission to modify the object’s DACL. And modifying the object’s DACL is what we are going to do:

With this we granted ourselves full control over ‘trinity’. Now to verify it:

GenericAll on Group

We can have GenericAll permission on an object when we have full control over it:

For example in this scenario we have full control over the ‘Domain Admins’ group hence the name ‘GenericAll on Group’.

To verify it:

Next thing we can do is to add ourselves or others to ‘Domain Admins’ group:

We added ‘trinity’ to the ‘Domain Admins’ group so as to apologize for having full control over it.

And indeed ‘trinity’ is added to the ‘Domain Admins’ group.

GenericAll on User

Next is having full control over a user object instead of group and in this scenario we have full control over trinity:

There are many things we can do in this scenario: make the user vulnerable to Kerberoasting, ASREPRoasting and ..

But for the sake of simplicity we are just going to change its password:

And then running a command as the user with the new password:

It has worked perfectly!

WriteProperty on Group

We have WriteProperty permission on a group when we have ‘Read all properties’ and ‘Write all properties’ permissions set over it:

To check:

We have ‘WriteProperty’ permission over the ‘Test Group’ object. In this case we can add ourselves to this lonely group which has no members:

To do so:

And checking the group again:

We are now a member of the ‘Test Group’ group.

ForceChangePassword on User

It Is a permission that allows you to change user’s password. If you have Force-
Change-Password on user object, you can reset user’s password without knowing

the current password of the user, thereby escalating your privileges.
Enumeration of ForceChangePassword

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "

[your_current_user_sid]") -and ($_.objectacetype -eq "User-Force-Change-

we can see the user USMAN@CYBER.LOCAL has ForceChangePassword on
ALI@CYBER.LOCAL who is member of Domain Admin groups.

Exploitation of ForceChangePassword misconfiguration

since it allows us to change the password, without knowing the old password , we
can you this command :

$pass = ConvertTo-SecureString '[Your New Password Here]' -AsPlainText -
set-domainuserpassword -identity -accountpassword $pass
runas /user: cmd.exe



These are Rights to perform operations controlled by an extended access right.
If ObjectType does not contain a GUID, the ACE controls the right to perform all
extended rights operations. This permission allows for resetting passwords on User
objects and for crafting a Resource-Based Constrained Delegation (RBCD) attack for
Computer objects.

For this example, our lares user has AllExtendedRights over EvilCorp.local. We
can use secretsdump to perform DCSync:
Over Group: AddMember .
Over User: ForceChangePassword .
*Over Computers: ReadLAPSPassword .
If a domain object with AllExtendedRights permissions on the domain object

itself is compromised, that domain object will have both the DS-Replication-
Get-Changes and DS-Replication-Get-Changes-All privilege . Both rights

allow a principal to replicate objects from the Domain (DCSync).

GenericAll/GenericWrite on Computer

If we have GenericAll / GenericWrite ACL on Computer , we can exploit it by adding
a fake computer to the domain.

If enumerating and we see a user has GenericAll permission on a computer we know
we have full control.
We can perform a Kerberos Resourced Based Constrained Delegation attack:
computer takeover. This attack allows us to impersonate a specific user
since we can add a fake computer , we can perform RBCD attack.

Here are few of the command that can be use to abuse this DACL :
GenericAll on computer: Grants full control over the computer object. An
attacker with this permission can perform actions like adding users to groups,
resetting passwords, and potentially taking over the machine.
GenericWrite on Computer: Allows modifying specific attributes of the
computer object. This could include changing the logon script, which attackers
might use to deploy malicious code.

# Add a computer to the domain via domain credentials
impacket-addcomputer -dc-ip 192.168.x.x -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'

#Add a computer account via hashed credentials
impacket-addcomputer -dc-ip 192.168.x.x -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'

# Add a computer account via domain credentials
impacket-addcomputer -computer-name 'COMPUTER$' -computer-pass 'SomePassword' -dc-host $DomainController -domain-netbios $DOMAIN 'DOMAIN\user:password'

# Modify a computer account password
impacket-addcomputer -computer-name 'COMPUTER$' -computer-pass 'SomePassword' -dc-host $DomainController -no-add 'DOMAIN\user:password'

# Delete a computer account
impacket-addcomputer -computer-name 'COMPUTER$' -dc-host $DomainController -delete 'DOMAIN\user:password'

Security Researchers

Amirhossein Gholizadeh, Surya Dev Singh

Free Consultation

For a Free Consultation And Analysis Of Your Business, Please Fill Out The Opposite Form, Our Team Will Contact You As Soon As Possible.