Active Directory ACL Abuse: From WriteOwner to Domain Admin
How misconfigured Access Control Lists on AD objects turn into full domain escalation paths, and how BloodHound maps the graph.
Every object in Active Directory — users, groups, computers, GPOs — carries a security descriptor with a
discretionary access control list (DACL). Each entry (ACE) grants a trustee some right over that object.
Most of the time these rights are boring: a helpdesk group gets Reset Password on a user OU, a service
account gets Write on one attribute. Abuse happens when those small, individually reasonable grants chain
together into a path to Domain Admin.
Why this matters more than CVEs
There’s no patch for a misconfigured ACL. It’s a design decision made by whoever delegated rights, often years ago, often forgotten. That’s exactly why ACL abuse is one of the most consistent findings across real AD environments — it doesn’t rely on missing patches, only on accumulated delegation.
BloodHound represents these relationships as directed edges in a graph. An edge like GenericAll or
WriteOwner from principal A to object B means “A can eventually control B,” even if that control isn’t
immediate.
The core primitives
| ACE right | What it lets you do |
|---|---|
GenericAll | Full control — reset password, add to group, modify anything |
GenericWrite | Write most attributes, including scriptPath or group membership |
WriteOwner | Take ownership of the object, then grant yourself further rights |
WriteDACL | Add a new ACE to the object’s DACL directly |
AllExtendedRights | Includes rights like User-Force-Change-Password |
ForceChangePassword | Reset a user’s password without knowing the old one |
Each of these is a stepping stone. WriteOwner doesn’t give you control immediately — it lets you become
the owner, which then lets you grant yourself WriteDACL, which then lets you grant yourself GenericAll.
Three hops, same outcome.
Mapping the graph
A typical BloodHound collection with SharpHound produces edges you can query directly in the graph UI, or via raw Cypher against the underlying Neo4j database:
MATCH p = (u:User)-[:MemberOf|GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword*1..]->(d:Domain)
WHERE u.name CONTAINS "SVC-"
RETURN p
LIMIT 25
This looks for any path from service accounts (often over-privileged and rarely rotated) to the domain object itself. In most mid-sized environments, at least one such path exists.
Don’t only look for paths to Domain Admins group membership. Paths to GPO objects linked to the Domain Controllers OU, or to a DC’s computer object, are just as valuable and often less monitored.
A representative chain
- Enumerate —
SharpHound -c Allcollects sessions, ACLs, group memberships, and trust data. - Find the edge — BloodHound surfaces that
SVC-BackuphasGenericAllon theDomain Adminsgroup. - Abuse it — add a controlled principal to the group using standard LDAP writes, or reset a member’s
password if the edge is
ForceChangePasswordinstead. - Validate — confirm group membership took effect (subject to Kerberos ticket refresh / logoff-logon for the new membership to appear in a token).
# Example: adding a principal to a group over LDAP, assuming GenericAll on the group object
Add-DomainGroupMember -Identity "Domain Admins" -Members "svc-backup" -Credential $cred
Group membership changes are logged (Event ID 4728/4732) and are a common, high-fidelity detection point. In an authorized engagement, always confirm the client’s monitoring expectations before making writes — some engagements score detection, not just successful compromise.
Detection and mitigation
- Audit DACLs regularly. Tools like BloodHound aren’t just for attackers — running the same collection defensively surfaces the identical paths before someone else finds them.
- Alert on sensitive group changes. Event IDs 4728, 4732, and 4756 cover additions to security-enabled groups; route these to your SIEM with tighter thresholds for privileged groups.
- Remove stale delegations. Rights granted for a project years ago rarely get revoked. A periodic ACL review against a known-good baseline catches drift.
- Tier your admin model. If Tier 0 assets (DCs, domain admins, ADCS) never accept credentials from lower tiers, most ACL abuse chains stop before reaching anything that matters.
The underlying lesson: ACL abuse isn’t a single vulnerability to patch, it’s a property of how delegation accumulates over time. Treating it as an ongoing hygiene problem, not a one-time fix, is what actually closes the paths.