Applies to BloodHound Enterprise and CE

Abuse Info

With the ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish. Groups With WriteDACL over a group, grant yourself the right to add members to the group: Add-DomainObjectAcl -TargetIdentity “Domain Admins” -Rights WriteMembers See the abuse info for AddMembers for more information about executing the attack from there. Users With WriteDACL over a user, grant yourself full control of the user object: Add-DomainObjectAcl -TargetIdentity harmj0y -Rights All See the abuse info for GenericAll over a user for more information about how to continue from there. Computers With WriteDACL over a computer object, grant yourself full control of the computer object: Add-DomainObjectAcl -TargetIdentity windows1 -Rights All See the abuse info for GenericAll over a computer for more information about how to continue from there. Domains With WriteDACL over a domain object, grant full control of the domain: Add-DomainObjectAcl -TargetIdentity testlab.local -Rights All See the abuse info for GenericAll over a domain for more information about how to continue from there. GPOs With WriteDACL over a GPO, grant yourself full control of the GPO: Add-DomainObjectAcl -TargetIdentity TestGPO -Rights All See the abuse info for GenericAll over a GPO for more information about how to continue from there. OUs With WriteDACL over an OU, grant yourself full control of the OU: Add-DomainObjectAcl -TargetIdentity (OU GUID) -Rights All See the abuse info for GenericAll over an OU for more information about how to continue from there.

Opsec Considerations

When using the PowerView functions, keep in mind that PowerShell v5 introduced several security mechanisms that make it much easier for defenders to see what’s going on with PowerShell in their network, such as script block logging and AMSI. You can bypass those security mechanisms by downgrading to PowerShell v2, which all PowerView functions support. Modifying permissions on an object will generate 4670 and 4662 events on the domain controller that handled the request. Additional opsec considerations depend on the target object and how to take advantage of this privilege.

References