# DACL-Abuses

Active Directory Discretionary Access Control Lists (DACLs) and Acccess Control Entries (ACEs) that make up DACLs. The best information out there on how to abuse these edges will be on the [BloodHound wiki](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#). Here s a short list of interesting ACL abuses:

* **GenericAll** - full rights to the object. Modify group membership, modify user attributes (Set SPN to kerberoast) or reset a user their password. Also possible to read LAPS passwords of a computerobject.
* **GenericWrite** - update object's attributes (i.e logon script, serviceprincipalname, group membership.
* **WriteOwner** - change object owner to attacker controlled user take over the object. When owner you can write generic all to the object.
* **WriteDACL** - ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish.
* **AllExtendedRights** - ability to add user to a group or reset password.
* **ForceChangePassword** - ability to change a user their password.

## BloodHound

The easiest way to check for ACL abuses is using BloodHound since it will visualize the ACL abuses and it is easy to to check if any new owned objects has ACL's. The easiest way to check it is searching for the user at the top and clicking on the user, then scroll down all the "Node Info" and look for "Outbound control rights". This is the section thats hows if the user has any ACL's:

![](/files/VluNcy3uyFdrhvYaU3ax)

The object has one First Degree Object Control, meaning the user has one direct ACL to another object. If the user is member of a group and that group had a ACL to another object it would show under "Group Delegated Object Control". Once you click on the number it will show the ACL's:

<div align="left"><img src="/files/HtxmMpjek9YlOkhgSPX6" alt=""></div>

I will always recommend doing this for EVERY user and computer or other objects you got access to and own(Know the password from or NTLM hash or tickets etc). And also right click on the objects and mark them as "Owned"

<div align="left"><img src="/files/XBiZf59NX5LK38sPUKFh" alt=""></div>

{% embed url="<https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.