Write DACL

Description

The Source security principal has the permission to change the permissions of the Target object in the Discretionary Access Control List (DACL). This allows the Source to obtain for themselves, or give to someone else, additional rights and ultimately compromise the Target object.

Exploitation

Attackers who compromise the Source security principal only have to edit the Target object's security descriptor using native Windows commands such as "dsacls", PowerShell such as "Set-ACL", administration tools such as "Active Directory Users and Computers", or dedicated hacker tools such as PowerSploit.

Remediation

If the Source security principal does not have legitimate permission to change the permissions of the Target object, then you must remove this permission.

To modify the Target object's security descriptor:

1. In "Active Directory Users and Computers", right-click the object then Properties > Security > Advanced.

2. Remove the "Modify permissions" permission for the Source security principal.

See also

• Add Key Credential

• Add Member

• Allowed To Act

• Allowed To Delegate

• Belongs To GPO

• DCSync

• Grant Allowed To Act

• Has SID History

• Implicit Takeover

• Inherit GPO

• Linked GPO

• Member Of

• Owns

• Reset Password

• RODC Manage

• Write Owner