> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# WriteDacl

> With write access to the target object’s DACL, you can grant yourself any privilege you want on the object.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

With the ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish.

**Groups**

With WriteDACL over a group, grant yourself the right to add members to the group:

Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights WriteMembers

See the abuse info for [AddMember](/resources/edges/add-member) for more information about executing the attack from there.

**Users**

With WriteDACL over a user, grant yourself full control of the user object:

Add-DomainObjectAcl -TargetIdentity harmj0y -Rights All

See the abuse info for [GenericAll](/resources/edges/generic-all) over a user for more information about how to continue from there.

**Computers**

With WriteDACL over a computer object, grant yourself full control of the computer object:

Add-DomainObjectAcl -TargetIdentity windows1 -Rights All

See the abuse info for [GenericAll](/resources/edges/generic-all) over a computer for more information about how to continue from there.

**Domains**

With WriteDACL over a domain object, grant full control of the domain:

Add-DomainObjectAcl -TargetIdentity testlab.local -Rights All

See the abuse info for [GenericAll](/resources/edges/generic-all) over a domain for more information about how to continue from there.

**GPOs**

With WriteDACL over a GPO, grant yourself full control of the GPO:

Add-DomainObjectAcl -TargetIdentity TestGPO -Rights All

See the abuse info for [GenericAll](/resources/edges/generic-all) over a GPO for more information about how to continue from there.

**OUs**

With WriteDACL over an OU, grant yourself full control of the OU:

Add-DomainObjectAcl -TargetIdentity (OU GUID) -Rights All

See the abuse info for [GenericAll](/resources/edges/generic-all) over an OU for more information about how to continue from there.

## Opsec Considerations

When using the PowerView functions, keep in mind that PowerShell v5 introduced several security mechanisms that make it much easier for defenders to see what’s going on with PowerShell in their network, such as script block logging and AMSI. You can bypass those security mechanisms by downgrading to PowerShell v2, which all PowerView functions support.

Modifying permissions on an object will generate 4670 and 4662 events on the domain controller that handled the request.

Additional opsec considerations depend on the target object and how to take advantage of this privilege.

## Edge Schema

Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [AIACA](/resources/nodes/aiaca), [CertTemplate](/resources/nodes/cert-template), [Computer](/resources/nodes/computer), [Container](/resources/nodes/container), [Domain](/resources/nodes/domain), [EnterpriseCA](/resources/nodes/enterprise-ca), [GPO](/resources/nodes/gpo), [Group](/resources/nodes/group), [IssuancePolicy](/resources/nodes/issuance-policy), [NTAuthStore](/resources/nodes/nt-auth-store), [OU](/resources/nodes/ou), [RootCA](/resources/nodes/root-ca), [User](/resources/nodes/user)\
Traversable: **Yes**

## References

* [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
* [https://www.youtube.com/watch?v=z8thoG7gPd0](https://www.youtube.com/watch?v=z8thoG7gPd0)
* [https://eladshamir.com/2019/01/28/Wagging-the-Dog.html](https://eladshamir.com/2019/01/28/Wagging-the-Dog.html)
* [https://github.com/GhostPack/Rubeus#s4u](https://github.com/GhostPack/Rubeus#s4u)
* [https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff](https://gist.github.com/HarmJ0y/224dbfef83febdaf885a8451e40d52ff)
* [https://blog.harmj0y.net/redteaming/another-word-on-delegation/](https://blog.harmj0y.net/redteaming/another-word-on-delegation/)
* [https://github.com/Kevin-Robertson/Powermad#new-machineaccount](https://github.com/Kevin-Robertson/Powermad#new-machineaccount)
* [https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=netframework-4.8)
* [https://specterops.io/blog/2017/05/15/bloodhound-1-3-the-acl-attack-path-update/](https://specterops.io/blog/2017/05/15/bloodhound-1-3-the-acl-attack-path-update/)