GenericAll

Attacking

How it works

GenericAll ACL is basicly all permissions. There are different ways of attacking different objects which are:

Groups

With these permission on a group you can add anyone to the group.

pageAdd user to group (todo)

Users

With GenericAll permission on a user you can do two things:

Targeted kerberoast (set spn to user and kerberoast it)
Change their password (This will deny access to the user and may raise red flags)

pageTargeted Kerberoast (todo)pageForceChangePassword

Computers

With GenericAll permissions on a computerobject you can do two things:

Read its LAPS password.
Get access to the machine using Resource Based Constrained Delegation

pageReading LAPS passwords (todo)pageComputeraccount Takeover

Domain object

In these GenericAll permissions the permissions DS-Replication-Get-Changes and Replication-Get-Changes-All rights are included. Giving you the ability to execute a DCSync attack.

pageGet-Changes

References

Edges — BloodHound 3.0.3 documentation

PreviousWriteDacl NextGenericWrite (todo)

Last updated 1 year ago