This chapter covers Active Directory ACL abuse, a critical privilege escalation technique used by penetration testers to move from a low-privileged domain user to domain administrator. For the PT0-002 exam, this topic falls under Objective 3.4 (Attacks and Exploits) and appears in approximately 5-8% of questions, often in scenario-based multiple-choice or performance-based simulations. Mastering AD ACL abuse is essential because it exploits the trust relationships inherent in delegated administration, a common misconfiguration in enterprise environments.
Jump to a section
Imagine a large office building with hundreds of rooms, each with a specific access control list (ACL) on the door. The building's security system uses a central database (Active Directory) that maps each employee's badge to the rooms they can enter. Normally, the janitor (a low-privileged user) has a badge that only opens the supply closet and break room. However, the security system has a flaw: the janitor can modify the ACL on the supply closet door to grant himself access to the CEO's office (a high-value target). Worse, because the security system trusts that anyone who can modify an ACL must be authorized, the janitor can also grant himself the ability to modify other doors' ACLs (like escalating to Domain Admin). In AD terms, the janitor has 'GenericWrite' on a group that has 'WriteDacl' on the domain object. By adding himself to that group, he gains full control. The key is that AD doesn't verify if the user should be allowed to modify ACLs—it only checks if they have the permission to do so, creating a privilege escalation path.
What is Active Directory ACL Abuse?
Active Directory (AD) uses Access Control Lists (ACLs) to define permissions on objects such as users, groups, computers, and the domain itself. Each object has a security descriptor that contains a Discretionary Access Control List (DACL) and a System Access Control List (SACL). The DACL specifies which security principals (users, groups, computers) have what type of access (e.g., Read, Write, Full Control). ACL abuse occurs when an attacker leverages existing permissions on an object to gain additional privileges, often by modifying the ACL itself or by abusing a specific permission to perform an action that escalates privileges.
Why Does ACL Abuse Exist?
ACL abuse is possible because AD allows delegation of administration. For example, a helpdesk group might have permission to reset passwords for low-privileged users. However, if that group also has 'Write' permission on a high-value group like 'Domain Admins', a member of the helpdesk can add themselves to 'Domain Admins'. The problem is not the delegation itself, but overly permissive ACLs that grant more rights than intended. Attackers enumerate ACLs using tools like PowerView, BloodHound, or ADExplorer to find exploitable paths.
Key Permissions for ACL Abuse
The following permissions are commonly abused for privilege escalation:
GenericAll / Full Control: Grants complete control over the object, including the ability to modify the ACL, change attributes, or delete the object. If a user has GenericAll on a group, they can add members to that group. If on a user, they can reset the password or modify group membership.
GenericWrite: Grants write access to all attributes of the object. This includes the ability to write to the 'member' attribute of a group, effectively adding users to that group. It also allows writing to 'servicePrincipalName' for Kerberoasting or targeting.
WriteDacl: Allows the principal to modify the DACL of the object. This is extremely powerful because the principal can grant themselves Full Control or other permissions. For example, a user with WriteDacl on the domain object can grant themselves 'Replicate Directory Changes' (DCSync) rights.
WriteOwner: Allows the principal to change the owner of the object. The owner of an object always has the right to modify the DACL (even if denied by the ACL), so taking ownership effectively grants Full Control.
WriteProperty: Grants write access to specific attributes of an object. For example, 'WriteProperty' on 'member' attribute of a group allows adding members. The 'All' extended right is often used for password reset or replication.
Self-Membership: A special permission that allows a user to add themselves to a group. This is often granted to allow users to join a 'VPN Users' group, but if granted on a privileged group, it's an instant escalation.
ForceChangePassword: The 'Reset Password' extended right (GUID: 00299570-246d-11d0-a768-00aa006e0529) allows a principal to change a user's password without knowing the current one. If a low-privileged user has this right on a domain admin, they can change the admin's password and log in.
Reanimate: Allows restoring deleted objects. If an attacker can restore a deleted privileged user or group, they may gain access.
Common Attack Paths
1. Group Membership Modification via GenericWrite
If user 'Bob' has GenericWrite on group 'Domain Admins', Bob can add himself to that group. Using PowerView:
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'Bob'This works because GenericWrite allows writing to the 'member' attribute. The change takes effect immediately (no replication delay for group membership changes).
2. Password Reset via ForceChangePassword
If user 'Bob' has 'Reset Password' permission on user 'Admin', Bob can change Admin's password:
net user Admin NewPassword123! /domainOr using PowerView:
Set-DomainUserPassword -Identity 'Admin' -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)3. DCSync via WriteDacl on Domain Object
If a user has WriteDacl on the domain object (e.g., via delegation), they can grant themselves 'Replicate Directory Changes All' and 'Replicate Directory Changes' rights. Then they can perform DCSync to dump all password hashes:
Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity 'Bob' -Rights DCSyncThen using Mimikatz:
lsadump::dcsync /domain:domain.local /all4. Taking Ownership via WriteOwner
If a user has WriteOwner on a privileged group, they can change the owner to themselves. As owner, they can modify the DACL to grant themselves Full Control:
Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'Bob'
Add-DomainObjectAcl -TargetIdentity 'Domain Admins' -PrincipalIdentity 'Bob' -Rights FullControl
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'Bob'5. Abusing AllowedToActOnBehalfOfOtherIdentity (Resource-Based Constrained Delegation)
If a user has GenericWrite on a computer object (e.g., a member server), they can modify the 'msDS-AllowedToActOnBehalfOfOtherIdentity' attribute to allow a controlled account to impersonate any user to that computer. This is a common attack for lateral movement.
Tools for Enumeration and Exploitation
BloodHound: Uses graph theory to find ACL-based attack paths. It collects ACL data via SharpHound and visualizes paths like 'User -> GenericWrite -> Group -> MemberOf -> Domain Admins'.
PowerView: Part of PowerSploit. Commands like Get-DomainObjectAcl, Find-InterestingDomainAcl, Add-DomainGroupMember.
ADExplorer: Sysinternals tool for manual ACL inspection.
DSACLs: Command-line tool to query or modify ACLs.
Active Directory Administrative Center: GUI for viewing advanced security settings.
Detection and Prevention
Audit ACL changes: Enable advanced audit policy for 'Directory Service Access' and 'Account Management' to log modifications to sensitive objects.
Principle of least privilege: Avoid granting GenericWrite or WriteDacl on sensitive objects. Use constrained delegation and fine-grained password policies.
Regular ACL reviews: Use tools like BloodHound to identify dangerous ACLs. For example, 'AdminSDHolder' protects privileged groups by resetting their ACLs every 60 minutes (default). Attackers must modify the AdminSDHolder object itself to persist.
Protected Users group: Members cannot be delegated with Kerberos unconstrained delegation or be targeted with some ACL attacks.
Interaction with Other Technologies
Group Policy: ACLs on Group Policy Objects (GPOs) can be abused to deploy malicious scripts or modify security settings. Write access to a GPO allows executing code on all affected computers.
LAPS: Local Administrator Password Solution (LAPS) stores local admin passwords in AD attributes. If a user has read access to the 'ms-Mcs-AdmPwd' attribute, they can read local admin passwords for domain-joined machines.
Kerberos Delegation: ACL abuse can be combined with Kerberos delegation attacks (e.g., RBCD, S4U2Self) to impersonate users.
Exam Tips
Remember that GenericWrite on a group allows adding members to that group. Many candidates mistakenly think it only allows changing description or other low-impact attributes.
WriteDacl is often confused with WriteOwner. WriteDacl allows modifying the ACL; WriteOwner allows changing the owner. Both lead to full control.
The AdminSDHolder object automatically resets ACLs on privileged groups every 60 minutes. If you change an ACL on 'Domain Admins' directly, it will be reverted. You must modify AdminSDHolder if you want persistence.
DCSync requires both 'Replicate Directory Changes' and 'Replicate Directory Changes All' rights. Granting only one is insufficient.
Enumerate ACLs with BloodHound
Run SharpHound.exe on a domain-joined machine with domain credentials. SharpHound collects all ACL information from the domain, including permissions on users, groups, computers, and the domain object. The data is output as JSON files. Import these into BloodHound GUI. Use the 'Find Shortest Paths to Domain Admins' query to identify ACL-based attack paths. For example, a path might show 'User1 -> GenericWrite -> Group1 -> MemberOf -> Domain Admins'. This step is crucial because ACL abuse requires knowing which permissions you have.
Identify exploitable permission
From the BloodHound path, note the specific permission (e.g., GenericWrite) and the target object (e.g., a group called 'HelpDeskAdmins'). Verify the permission using PowerView: `Get-DomainObjectAcl -Identity HelpDeskAdmins | ? {$_.SecurityIdentifier -eq $userSID}`. This command shows the ACL entries for the target object. Look for 'ActiveDirectoryRights' like 'GenericWrite' or 'WriteProperty'. If the permission is present, proceed to exploitation. If not, continue enumeration for other paths.
Exploit GenericWrite on group
Assuming you have GenericWrite on a group that is a member of Domain Admins (or can be escalated), use PowerView to add your user to that group: `Add-DomainGroupMember -Identity 'HelpDeskAdmins' -Members 'YourUser'`. This writes to the 'member' attribute of the group. The change is immediate and does not require replication. After execution, verify membership with `Get-DomainGroupMember -Identity 'HelpDeskAdmins'`. Your user now inherits all permissions of that group, including any nested group memberships that lead to Domain Admins.
Escalate to Domain Admin
If 'HelpDeskAdmins' is not directly a member of Domain Admins but has another permission (e.g., GenericAll on Domain Admins), use that to add yourself to Domain Admins. For example, if HelpDeskAdmins has GenericAll on Domain Admins, run: `Add-DomainGroupMember -Identity 'Domain Admins' -Members 'YourUser'`. Alternatively, if the path involves password reset or DCSync, execute those steps. The goal is to gain full control over the domain. Once a member of Domain Admins, you can use tools like Mimikatz to extract credentials or create persistence.
Clean up and maintain access
Optionally, remove your user from intermediate groups to avoid detection. However, note that group membership changes are logged. To maintain stealth, you may create a backdoor by modifying the AdminSDHolder object (if you have WriteDacl on it) to grant your user persistent rights to privileged groups. AdminSDHolder's ACL is applied every 60 minutes to protected groups like Domain Admins. If you add your user to the AdminSDHolder's ACL with 'WriteProperty' on member, you can add yourself to Domain Admins repeatedly even if removed.
Enterprise Scenario 1: Helpdesk Delegation Gone Wrong
A large enterprise with 10,000 users delegates password reset rights to the helpdesk group 'HD_Operators'. The helpdesk team needs to reset passwords for standard users. However, an administrator accidentally grants 'GenericWrite' on the 'Domain Admins' group to 'HD_Operators' while trying to grant read access. A penetration tester discovers this using BloodHound. They add their test user to 'HD_Operators' (if not already) and then add themselves to 'Domain Admins'. The impact is full domain compromise. To prevent this, the enterprise should have used 'Reset Password' extended right specifically on the user objects, not GenericWrite on the group. Regular ACL audits using tools like 'AD ACL Scanner' would catch this misconfiguration.
Scenario 2: LAPS Password Read via ACL
An organization uses Microsoft LAPS to manage local admin passwords on workstations. The 'LAPS_Readers' group is granted 'Read' access to the 'ms-Mcs-AdmPwd' attribute on computer objects. However, a junior admin accidentally makes the 'Domain Users' group a member of 'LAPS_Readers'. Now every domain user can read the local admin password for any computer. An attacker enumerates this via PowerView: Get-DomainObjectAcl -SearchBase "DC=domain,DC=com" -ResolveGUIDs | ? {$_.ObjectAceType -eq "ms-Mcs-AdmPwd"}. They then use Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd to dump passwords. This allows lateral movement to any workstation. Mitigation involves proper group membership and auditing of attribute-level ACLs.
Scenario 3: AdminSDHolder Persistence
A penetration tester gains WriteDacl on the domain object through a complex ACL path. They modify the AdminSDHolder object to grant their user 'WriteProperty' on the 'member' attribute of all protected groups. Even if the tester's user is removed from 'Domain Admins', the AdminSDHolder process (running every 60 minutes) will not revert the ACL change because it only resets ACLs on the protected groups themselves, not on AdminSDHolder. The tester can then re-add themselves at any time. This persistence technique is used in red team operations to maintain long-term access. Detection requires monitoring changes to AdminSDHolder's ACL, which is rarely modified legitimately.
PT0-002 Exam Focus on AD ACL Abuse
This topic falls under Objective 3.4: 'Given a scenario, perform post-exploitation techniques.' Specifically, the exam tests your ability to identify and exploit ACL misconfigurations for privilege escalation. Expect 1-2 multiple-choice questions and possibly a performance-based simulation where you must enumerate ACLs and escalate privileges.
Common Wrong Answers
'GenericWrite only allows writing to attributes like description, not group membership.' This is false. GenericWrite grants write access to all non-protected attributes, including 'member' for groups. The exam loves to test this distinction.
'You need Full Control to add a user to a group.' Actually, GenericWrite is sufficient because it includes WriteProperty on all attributes. Full Control is overkill.
'DCSync requires only Replicate Directory Changes.' Both 'Replicate Directory Changes' and 'Replicate Directory Changes All' are required. The exam may list only one as a distractor.
'Modifying the ACL on Domain Admins gives persistent access.' No, because AdminSDHolder resets the ACL every 60 minutes. You must modify AdminSDHolder or use a different persistence method.
Specific Numbers and Values
AdminSDHolder interval: 60 minutes (default).
Protected groups: Account Operators, Administrators, Backup Operators, Domain Admins, Enterprise Admins, Print Operators, Replicator, Server Operators, Schema Admins.
DCSync rights: 'Replicate Directory Changes' (GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2) and 'Replicate Directory Changes All' (GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2).
Reset Password extended right GUID: 00299570-246d-11d0-a768-00aa006e0529.
PowerView command: Add-DomainGroupMember is the typical cmdlet for adding group members.
Edge Cases
Delegation over AdminSDHolder: Even with WriteDacl on AdminSDHolder, you cannot directly add yourself to Domain Admins; you must grant yourself WriteProperty on the 'member' attribute of the group object. The AdminSDHolder ACL controls who can modify protected groups.
Self-Membership permission: This allows a user to add themselves to a group. The exam may present a scenario where a user has 'Self-Membership' on a privileged group, which is an instant escalation.
Cross-domain trusts: ACLs can be abused across trusts if the trust allows SID filtering or if the attacker can leverage the trust to escalate.
How to Eliminate Wrong Answers
If the question mentions 'modifying the ACL on the domain object', the correct answer likely involves 'WriteDacl' or 'DCSync'.
If the question says 'add user to group', look for 'GenericWrite' or 'WriteProperty' on the group's member attribute.
If the question involves 'persistence', remember that AdminSDHolder is key.
Eliminate answers that mention 'Full Control' when 'GenericWrite' is sufficient — the exam often tests the minimum required permission.
GenericWrite on a group allows adding members to that group, enabling privilege escalation.
WriteDacl on an object allows modifying its ACL, which can lead to full control.
AdminSDHolder resets ACLs on protected groups every 60 minutes; modify AdminSDHolder for persistence.
DCSync requires both 'Replicate Directory Changes' and 'Replicate Directory Changes All' rights.
BloodHound is the primary tool for enumerating ACL-based attack paths.
ForceChangePassword (Reset Password) allows changing a user's password without knowing the current one.
Protected groups include Domain Admins, Enterprise Admins, Administrators, and others.
These come up on the exam all the time. Here's how to tell them apart.
GenericWrite on Group
Allows adding users to the group (write to member attribute)
Does not require knowing current password or user interaction
Change is immediate and does not require user logoff
Target is typically a group that has high privileges
Commonly used to escalate to Domain Admin
ForceChangePassword on User
Allows resetting a user's password without knowing current one
Requires the 'Reset Password' extended right on the target user object
Change is immediate; user can log in with new password
Target is typically a high-value user like a domain admin
May alert the user if they try to log in with old password
Mistake
GenericWrite only allows writing to non-security attributes like description or displayName.
Correct
GenericWrite grants write access to all writable attributes, including the 'member' attribute of groups. This allows adding users to groups, which is a common privilege escalation path.
Mistake
To add a user to a group, you need Full Control or GenericAll on the group.
Correct
GenericWrite is sufficient because it includes WriteProperty on all attributes. Full Control is not required and is often overkill.
Mistake
DCSync requires only the 'Replicate Directory Changes' right.
Correct
DCSync requires both 'Replicate Directory Changes' and 'Replicate Directory Changes All' rights. Granting only one is not enough to replicate all directory changes.
Mistake
Modifying the ACL on Domain Admins gives persistent access because the change is permanent.
Correct
AdminSDHolder process resets ACLs on protected groups (including Domain Admins) every 60 minutes. Direct ACL changes are reverted. To persist, you must modify the AdminSDHolder object itself.
Mistake
You need to be a domain admin to enumerate ACLs.
Correct
Any authenticated domain user can read ACLs on most objects (unless explicitly denied). Tools like PowerView and BloodHound work with standard user credentials.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
GenericWrite grants write access to all writable attributes of an object, but not the ability to modify the ACL or delete the object. GenericAll (or Full Control) grants complete control, including modifying the ACL, changing permissions, and deleting the object. For privilege escalation, GenericWrite is often sufficient to add a user to a group (by writing to the member attribute), while GenericAll allows more destructive actions like taking ownership or modifying security descriptors.
AdminSDHolder is a special container in Active Directory that holds a security descriptor. Every 60 minutes, the SDProp process compares the ACLs of protected groups (like Domain Admins) to the AdminSDHolder's ACL. If any discrepancies are found, the protected group's ACL is reset to match AdminSDHolder. This prevents attackers from permanently modifying ACLs on privileged groups. To persist, an attacker must modify the AdminSDHolder object itself.
DCSync requires the 'Replicate Directory Changes' and 'Replicate Directory Changes All' extended rights on the domain object. These rights are typically granted to Domain Controllers and some administrative groups. If a user has WriteDacl on the domain object, they can grant themselves these rights. DCSync allows an attacker to replicate all directory data, including password hashes, from a Domain Controller.
Yes, PowerView has several commands for ACL enumeration. 'Get-DomainObjectAcl' retrieves the ACL for a specific object. 'Find-InterestingDomainAcl' searches for ACLs that grant interesting permissions like GenericAll, GenericWrite, WriteDacl, or WriteOwner. You can also use 'Get-DomainGroupMember' to check group membership after exploitation. PowerView is part of the PowerSploit framework.
Self-Membership is a special permission that allows a user to add themselves to a group. It is often granted to allow users to join distribution groups or security groups for self-service. If this permission is granted on a privileged group like 'Domain Admins', any user can add themselves to that group, resulting in instant privilege escalation.
Enable advanced audit policies for 'Directory Service Access' and 'Account Management'. Audit modifications to sensitive objects like groups and users. Use Event IDs such as 5136 (directory service object modified) and 4732 (member added to security group). Additionally, monitor changes to AdminSDHolder's ACL. Tools like Microsoft Defender for Identity can detect anomalous ACL modifications.
WriteDacl allows a principal to modify the Discretionary Access Control List (DACL) of an object, meaning they can change who has what permissions. WriteOwner allows a principal to change the owner of an object. The owner always has the implicit right to modify the DACL (even if denied by the ACL), so taking ownership effectively grants full control. Both are high-risk permissions.
You've just covered Active Directory ACL Abuse — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?