AD-DACL-WRITEDACLPrivilege Escalation

WriteDACL

Modify the object's ACL — grant yourself any other right.

§ Where this technique fits

AD-DACL-WRITEDACL is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

WriteDACL on a privileged user → ForceChangePassword → takeover
Discover a misconfigured ACL that lets a low-priv user modify the ACL of a Tier-0 account, grant ForceChangePassword to themselves, reset the victim's password, and log in.
step 3 / 6
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
step 5 / 6

§ What commonly comes next

01
Data Encrypted for Impact
T1486 · Impact
seen 1×
02
ForceChangePassword (User-Force-Change-Password)
AD-DACL-FORCECHANGE · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

WriteDACL on a privileged user → ForceChangePassword → takeover

Leaked legacy VPN credential → ransomware (Colonial-class)

§ What commonly comes next