Abuse Info
Users With GenericWrite over a user, you can write to themsDS-KeyCredentialLink attribute. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using Kerberos PKINIT. See more information under the AddKeyCredentialLink edge.
also grants write access to the altSecurityIdentities attribute, which may enable an ADCS ESC14 Scenario A attack. See the WriteAltSecurityIdentities edge documentation for details.
Alternatively, you can write to the servicePrincipalNames attribute and perform a targeted kerberoasting attack. See the abuse section under the WriteSPN edge for more information.
Groups
With GenericWrite over a group, add yourself or another principal you control to the group. See the abuse info under the AddMember edge for more information.
Computers
With GenericWrite over a computer, you can write to the msDS-KeyCredentialLink attribute. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using Kerberos PKINIT. See more information under the AddKeyCredentialLink edge.
also grants write access to the altSecurityIdentities attribute, which may enable an ADCS ESC14 Scenario A attack. See the WriteAltSecurityIdentities edge documentation for details.
Alternatively, you can perform a resource-based constrained delegation attack against the computer. See the AllowedToAct edge abuse info for more information about that attack.
GPO
With GenericWrite on a GPO, you may make modifications to that GPO, which will then apply to the users and computers affected by the GPO. Select the target object you wish to push an evil policy down to, then use the gpedit GUI to modify the GPO, using an evil policy that allows item-level targeting, such as a new immediate scheduled task. Then wait for the group policy client to pick up and execute the new evil policy. See the references tab for a more detailed write-up on this abuse.
Refer to A Red Teamer’s Guide to GPOs and OUs for details about the abuse technique, and check out the following tools for practical exploitation:
- Windows: SharpGPOAbuse
- Linux: pyGPOAbuse
gPLink attribute of the OU. See the WriteGPLink edge documentation for details.
Domain
You can compromise users and computers of the domain by abusing write access to the gPLink attribute of the domain. See the WriteGPLink edge documentation for details.
CertTemplate
With GenericWrite permission over a certificate template, you may be able to perform an ESC4 attack by modifying the template’s attributes. BloodHound will in that case create an ADCSESC4 edge from the principal to the forest domain node.
EnterpriseCA
With GenericWrite permission over an enterprise CA, you can publish certificate templates to the enterprise CA by adding the CN name of the template in the enterprise CA object’s certificateTemplates attribute. This action may enable you to perform an ADCS domain escalation.
RootCA
With GenericWrite permission over a root CA, you can make a rouge certificate trusted as a root CA in the AD forest by adding the certificate in the root CA object’s cACertificate attribute. This action may enable you to perform an ADCS domain escalation.
NTAuthStore
With GenericWrite permission over an NTAuth store, you can make an enterprise CA certificate trusted for NT (domain) authentication the AD forest by adding the certificate in the root CA object’s cACertificate attribute. This action may enable you to perform an ADCS domain escalation.
IssuancePolicy
With GenericWrite permission over an issuance policy object, you create a OID group link to a targeted group by adding the groups distinguishedName in the msDS-OIDToGroupLink attribute of the issuance policy object. This action may enable you to gain membership of the group through an ADCS ESC13 attack.