GenericAll

Attacking

How it works

GenericAll ACL is basicly all permissions. There are different ways of attacking different objects which are:

Groups

With these permission on a group you can add anyone to the group.

Add user to group (todo)

Users

With GenericAll permission on a user you can do two things:

• Targeted kerberoast (set spn to user and kerberoast it)

• Change their password (This will deny access to the user and may raise red flags)

Targeted Kerberoast (todo)ForceChangePassword

Computers

With GenericAll permissions on a computerobject you can do two things:

• Read its LAPS password.

• Get access to the machine using Resource Based Constrained Delegation

Reading LAPS passwords (todo)

Computeraccount Takeover

Domain object

In these GenericAll permissions the permissions DS-Replication-Get-Changes and Replication-Get-Changes-All rights are included. Giving you the ability to execute a DCSync attack.

Get-Changes

References

Edges — BloodHound 3.0.3 documentation