Explore how the WriteDacl permission in Active Directory can be exploited by attackers to gain unauthorized access or modify permissions. The post outlines lab setup for simulations, mapping methods to the MITRE ATT&CK framework, and methods for detection and mitigation. It includes detailed steps for exploiting WriteDacl permissions on different user and group objects using various tools like Bloodhound, Impacket, and PowerShell.
Table of contents
Table of ContentsWriteDacl PermissionPrerequisitesLab Setup – User Owns WriteDacl Permission on Another UserExploitation Phase I – User Owns WriteDacl Permission on Another UserBloodhound – Hunting for Weak PermissionMethod for Exploitation – Granting Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)Windows PowerShell Powerview – Granting Full ControlLab Setup – User Owns WriteDacl Permission on the Domain Admin GroupExploitation Phase II – User Owns WriteDacl Permission on a GroupBloodhound – Hunting for Weak PermissionMethod for Exploitation – Granting Full Control Followed by Account Manipulation (T1098)Detection & MitigationSort: