If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone. Similarly, if a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies access to all trustees not included in the ACEs.
- DACLs and ACEs (Microsoft)
- Abusing Active Directory ACLs/ACEs (HackTricks)
- DACL abuse (Hacker Recipes)
- Edges (BloodHound documentation)
- GenericWrite (BloodHound)
- BloodHound 1.3 – The ACL Attack Path Update (wald0)
- A Red Teamer’s Guide to GPOs and OUs (wald0)
For more details on AD enumeration, see Active Directory Enumeration.
Abusing Active Directory ACLs/ACEs
After running BloodHound, use this technique if you find privileges like “GenericAll”, “GenericWrite”, “Write”, “WriteProperty”, “Self”, “WriteOwner”, “ForceChangePassword”, “WriteDACL”.
Privileges on a target group
Use this technique if you have one of these privileges over the target group: GenericAll, GenericWrite, Self, AllExtendedRights or Self-Membership.
- AddMember (Hacker Recipes)
Privileges on a GPO
Enumeration
Documentation for Get-GPO, Get-GPPermission (Microsoft)
powershell -c "Get-GPO -Name \"REPLACEME\""powershell -c "Get-GPPermission -Name \"REPLACEME\" -All"