▸ On this page 7 sections
Background
Active Directory is packed with Access Control Entries that grant object permissions most administrators never intended as attack surface. BloodHound graphs these relationships and finds chained paths to Domain Admin that no manual review would catch - a three-hop chain of GenericWrite → WriteDACL → DCSync rights is invisible in the UI but trivially visible as a graph edge.
This is a lab walkthrough of discovering and abusing an ACL chain.
Collecting the data
Run the SharpHound collector from an authenticated domain foothold:
# Collect all data types - takes a few minutes on a real estate
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp\bh
Import the resulting zip into BloodHound CE and let it process. The graph is queryable immediately.
On a real engagement, prefer -CollectionMethod DCOnly first - it queries only the domain controller over LDAP and generates no SMB traffic to workstations. Add -CollectionMethod LocalAdmin,Session in a second, more targeted pass.
Finding ACL paths
BloodHound's pre-built Cypher query "Shortest Paths to Domain Admins" surfaces the highest-value chains. For ACL-specific hunting:
MATCH p=shortestPath(
(u:User {owned:true})-[r:GenericWrite|WriteDACL|WriteOwner|
GenericAll|ForceChangePassword|Owns*1..]->(g:Group {name:"DOMAIN ADMINS@LAB.LOCAL"})
)
RETURN p
Mark your foothold account as owned, run the query, and BloodHound draws the chain.
Abusing GenericWrite on a user
GenericWrite on a user object lets you write arbitrary attributes. The classic abuse is targeted Kerberoasting: set a servicePrincipalName on the target, request the ticket, crack offline, then clear the SPN:
# Set a fake SPN on the target user
Set-ADObject -Identity <target-user> `
-Add @{servicePrincipalName="fake/fake"}
# Request and crack the ticket, then clean up
Remove-ADObject -Identity <target-user> `
-Remove @{servicePrincipalName="fake/fake"}
SPN modification on a user object is logged as an attribute-change event (Event ID 5136). Kerberoasting the newly set SPN generates a TGS request visible in ticket-granting logs. Keep the window between set and unset as small as possible, and prefer this over password-reset attacks on accounts that might be monitored.
Abusing WriteDACL
WriteDACL on an object lets you grant yourself any permission on it. From here, grant yourself DCSync rights on the domain object:
# Grant yourself DCSync (DS-Replication-Get-Changes-All) on the domain
Add-DomainObjectAcl -TargetIdentity "DC=lab,DC=local" `
-PrincipalIdentity <your-user> `
-Rights DCSync
Then use your preferred DCSync tool to pull NTLM hashes for privileged accounts.
DCSync generates replication traffic from a non-DC source - this is a well-known detection signature. The ACE grant itself (Event ID 5136 on the domain NC head) is even noisier. In a real engagement, validate the privilege in a controlled way and document the finding rather than exercising the full DCSync chain unnecessarily.
Persisting the finding
After demonstrating impact, clean up your added ACEs:
Remove-DomainObjectAcl -TargetIdentity "DC=lab,DC=local" `
-PrincipalIdentity <your-user> `
-Rights DCSync
Document the original misconfigured ACE path - the ones that were already present - so the client can remediate them.
Takeaway
ACL abuse is powerful precisely because the misconfigurations are invisible to most monitoring tools. The permissions were granted intentionally (or accidentally) and look legitimate until you graph them. Regular BloodHound runs, automated ACL auditing, and treating WriteDACL / GenericAll on high-value objects as Tier-0 misconfigurations dramatically reduces the attack surface.