The post explores the exploitation of Discretionary Access Control Lists (DACL) in Active Directory environments using the WriteOwner permission. It provides a detailed lab setup and methods to simulate these attacks, mapping them to the MITRE ATT&CK framework, and offers detection mechanisms and mitigation strategies to help security professionals defend against such threats. The post includes tools and techniques for identifying and abusing WriteOwner permissions across different objects, such as groups, users, and domains.
Table of contents
Table of ContentsWriteOwner PermissionPrerequisitesLab Setup – User Owns WriteOwner Permission on the Domain Admin GroupExploitation Phase II – User Owns WriteOwner Permission on a GroupMethod for Exploitation – Granting Ownership & Full Control Followed by Account Manipulation (T1098)Linux – Adding Member to the GroupLab Setup – User Owns WriteOwner Permission on Another UserExploitation Phase I – User Owns WriteOwner Permission on Another UserMethod for Exploitation – Granting Ownership & Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)Linux – Change PasswordWindows PowerShell Powerview – Granting Ownership & Full ControlSort: