Skip to main content
Support
AdvancedT1222.001

ACL/ACE Abuse Attack Paths

Misconfigured Active Directory permissions let low-privileged users reset passwords, add themselves to admin groups, or grant themselves DCSync rights — all without exploiting a single vulnerability.

Every object in Active Directory — every user, group, computer, and OU — has an Access Control List (ACL) that defines who can do what to it. These ACLs contain individual Access Control Entries (ACEs), each granting specific rights to specific users or groups. Over years of administration, delegation changes, and software installations, many objects end up with overly permissive ACEs that create unintended attack paths. For example, a help desk group might have the right to reset passwords on Domain Admin accounts, or an IT contractor's account might have write access to a Group Policy Object. Attackers use tools like BloodHound to map all these permissions and find chains of abuse that lead from their current low-privileged account all the way to Domain Admin.

Imagine a corporate building where the maintenance staff were accidentally given keys that not only open the storage closets they need, but also the CEO's office, the HR file room, and the server room. Nobody noticed because the key assignments were buried in a spreadsheet nobody reviews. ACL abuse in AD works the same way: over time, users and groups accumulate permissions that were never intended — and tools like BloodHound can map these hidden key chains to find a path from janitor to CEO.

Key Takeaways

  1. GenericAll, WriteDACL, WriteOwner, and ForceChangePassword are the most dangerous ACE rights.
  2. ACL abuse chains can escalate from any user to Domain Admin through multiple hops.
  3. BloodHound automates discovery of these attack paths using graph theory.
  4. GenericWrite enables targeted Kerberoasting (SPN manipulation) and Shadow Credentials.
  5. Over-delegation during AD administration is the root cause — permission sprawl accumulates over years.
  6. Regular ACL audits with tools like PingCastle and BloodHound are essential.
Why Should I Care?

ACL abuse is the most common privilege escalation path discovered in real-world penetration tests and the primary finding BloodHound highlights. These are not vulnerabilities — they are misconfigured permissions, making them extremely hard to patch with a single update.

Defense Recommendations

Audit and remediate excessive ACEs across all AD objects, implement least-privilege delegation, and continuously monitor permission changes.

  1. 1Run BloodHound regularly and review all "Shortest Paths to Domain Admin" findings.
  2. 2Audit ACLs on sensitive objects: Domain Admins, Enterprise Admins, AdminSDHolder, domain root, GPOs, and DCs.
  3. 3Remove GenericAll and WriteDACL from any non-Tier-0 principal on privileged objects.
  4. 4Use PingCastle or Purple Knight for automated AD security scoring.
  5. 5Replace broad delegation (GenericAll on OUs) with specific delegated permissions (Reset Password only, Create Computer only).
  6. 6Monitor Event ID 5136 for unexpected directory object modifications on privileged objects.
  7. 7Review and clean up GPO edit permissions — any principal with write access to a GPO linked to DCs can compromise the domain.

Related Topics

Authorization & Access ControlAD Enumeration Without Admin RightsKerberos Delegation AbuseAD Persistence Techniques
Sources
AD Persistence Techniques
Print Spooler Abuse & PrintNightmare
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org