WriteDACL on a privileged user → ForceChangePassword → takeover
Discover a misconfigured ACL that lets a low-priv user modify the ACL of a Tier-0 account, grant ForceChangePassword to themselves, reset the victim's password, and log in.
§ Context
Assumed environment: BloodHound reveals a WriteDACL or GenericWrite edge from a compromised principal to a privileged user (often via nested group membership or legacy delegation).
§ Steps
- 01Authenticate as victimInitial AccessT1078— Valid Accounts
- 02Low-priv domain userInitial AccessT1078— Valid Accounts
- 03BloodHound finds WriteDACL edgeDiscoveryAD-BLOODHOUND— BloodHound / SharpHound Enumeration
MATCH p=shortestPath((u {owned:true})-[*1..]->(t:User {highvalue:true})) RETURN p
- 04Grant ForceChangePassword via WriteDACLPrivilege EscalationAD-DACL-WRITEDACL— WriteDACL
dacledit.py -action write -rights User-Force-Change-Password -principal <me> -target <victim>
- 05Reset victim passwordCredential AccessAD-DACL-FORCECHANGE— ForceChangePassword (User-Force-Change-Password)
rpcclient -U <me> -c 'setuserinfo2 <victim> 23 <newpw>' <dc>
- 06Continue chain (Kerberoast / DCSync / …)
Depending on what the victim grants.
§ References
- T1078Valid Accounts
§ Frequently asked
- What is the "WriteDACL on a privileged user → ForceChangePassword → takeover" attack path?
- Discover a misconfigured ACL that lets a low-priv user modify the ACL of a Tier-0 account, grant ForceChangePassword to themselves, reset the victim's password, and log in. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Authenticate as victim (T1078) — a initial access primitive. Assumed environment: BloodHound reveals a WriteDACL or GenericWrite edge from a compromised principal to a privileged user (often via nested group membership or legacy delegation).
- What is the final impact of this kill-chain?
- The final step lands on Reset victim password (AD-DACL-FORCECHANGE), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
- Shared techniques2
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
- Shared techniques2
GenericWrite on Domain Admins → AddMember → DA
A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.
- Shared techniques2
GPO write rights → Immediate scheduled task → SYSTEM on OU
GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate.
- Shared techniques2
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
- Shared techniques2
Group Policy Preferences cpassword → user takeover
Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them.