identity security

Analyzing Active Directory ACL Abuse

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

acl-abuseactive-directoryldapprivilege-escalation
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Active Directory Access Control Lists (ACLs) define permissions on AD objects through Discretionary Access Control Lists (DACLs) containing Access Control Entries (ACEs). Misconfigured ACEs can grant non-privileged users dangerous permissions such as GenericAll (full control), WriteDACL (modify permissions), WriteOwner (take ownership), and GenericWrite (modify attributes) on sensitive objects like Domain Admins groups, domain controllers, or GPOs.

This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound.

When to Use

  • When investigating security incidents that require analyzing active directory acl abuse
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Python 3.9 or later with ldap3 library (pip install ldap3)
  • Domain user credentials with read access to AD objects
  • Network connectivity to Domain Controller on port 389 (LDAP) or 636 (LDAPS)
  • Understanding of Active Directory security model and SDDL format

Steps

  1. Connect to Domain Controller: Establish an LDAP connection using ldap3 with NTLM or simple authentication. Use LDAPS (port 636) for encrypted connections in production.

  2. Query target objects: Search the target OU or entire domain for objects including users, groups, computers, and OUs. Request the nTSecurityDescriptor, distinguishedName, objectClass, and sAMAccountName attributes.

  3. Parse security descriptors: Convert the binary nTSecurityDescriptor into its SDDL string representation. Parse each ACE in the DACL to extract the trustee SID, access mask, and ACE type (allow/deny).

  4. Resolve SIDs to principals: Map security identifiers (SIDs) to human-readable account names using LDAP lookups against the domain. Identify well-known SIDs for built-in groups.

  5. Check for dangerous permissions: Compare each ACE's access mask against dangerous permission bitmasks: GenericAll (0x10000000), WriteDACL (0x00040000), WriteOwner (0x00080000), GenericWrite (0x40000000), and WriteProperty for specific extended rights.

  6. Filter non-admin trustees: Exclude expected administrative trustees (Domain Admins, Enterprise Admins, SYSTEM, Administrators) and flag ACEs where non-privileged users or groups hold dangerous permissions.

  7. Map attack paths: For each finding, document the potential attack chain (e.g., GenericAll on user allows password reset, WriteDACL on group allows adding self to group).

  8. Generate remediation report: Output a JSON report with all dangerous ACEs, affected objects, non-admin trustees, and recommended remediation steps.

Expected Output

{
  "domain": "corp.example.com",
  "objects_scanned": 1247,
  "dangerous_aces_found": 8,
  "findings": [
    {
      "severity": "critical",
      "target_object": "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com",
      "target_type": "group",
      "trustee": "CORP\\helpdesk-team",
      "permission": "GenericAll",
      "access_mask": "0x10000000",
      "ace_type": "ACCESS_ALLOWED",
      "attack_path": "GenericAll on Domain Admins group allows adding arbitrary members",
      "remediation": "Remove GenericAll ACE for helpdesk-team on Domain Admins"
    }
  ]
}
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.9 KB

Active Directory ACL Abuse API Reference

ldap3 Python Connection

from ldap3 import Server, Connection, ALL, NTLM, SUBTREE
 
server = Server("192.168.1.10", get_info=ALL, use_ssl=False)
conn = Connection(server, user="DOMAIN\\user", password="pass",
                  authentication=NTLM, auto_bind=True)
 
# Search with nTSecurityDescriptor
conn.search(
    "DC=corp,DC=example,DC=com",
    "(objectClass=group)",
    search_scope=SUBTREE,
    attributes=["distinguishedName", "sAMAccountName",
                "objectClass", "nTSecurityDescriptor"],
)

SDDL ACE Format

ACE String: (ace_type;ace_flags;rights;object_guid;inherit_guid;trustee_sid)
Example:    (A;;GA;;;S-1-5-21-xxx-512)
Component Description
A Access Allowed
D Access Denied
OA Object Access Allowed
GA Generic All
GW Generic Write
WD Write DACL
WO Write Owner

Dangerous Permission Bitmasks

Permission Hex Mask Risk
GenericAll 0x10000000 Full control over object
GenericWrite 0x40000000 Modify all writable attributes
WriteDACL 0x00040000 Modify object permissions
WriteOwner 0x00080000 Take object ownership
WriteProperty 0x00000020 Write specific properties
ExtendedRight 0x00000100 Extended rights (password reset, etc.)
Self 0x00000008 Self-membership modification
Delete 0x00010000 Delete the object

BloodHound Cypher Queries for ACL Paths

-- Find all users with GenericAll on Domain Admins
MATCH p=(n:User)-[r:GenericAll]->(g:Group {name:"DOMAIN ADMINS@CORP.COM"})
RETURN p
 
-- Find WriteDACL paths from non-admins to high-value targets
MATCH (n:User {admincount:false})
MATCH p=allShortestPaths((n)-[r:WriteDacl|WriteOwner|GenericAll*1..]->(m:Group))
WHERE m.highvalue = true
RETURN p
 
-- Find GenericWrite on computers for RBCD attacks
MATCH p=(n:User)-[r:GenericWrite]->(c:Computer)
WHERE NOT n.admincount
RETURN n.name, c.name
 
-- Enumerate all outbound ACL edges for a principal
MATCH p=(n {name:"HELPDESK@CORP.COM"})-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(m)
RETURN type(r), m.name, labels(m)
 
-- Find shortest ACL abuse path to Domain Admin
MATCH (n:User {name:"JSMITH@CORP.COM"})
MATCH (da:Group {name:"DOMAIN ADMINS@CORP.COM"})
MATCH p=shortestPath((n)-[r:MemberOf|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns|ForceChangePassword*1..]->(da))
RETURN p

PowerView Commands for ACL Enumeration

# Get ACL for Domain Admins group
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs
 
# Find interesting ACEs for non-admin users
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
    $_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"
}
 
# Get ACL for specific OU
Get-DomainObjectAcl -SearchBase "OU=Servers,DC=corp,DC=com" -ResolveGUIDs

Scripts 1

agent.py9.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Active Directory ACL abuse detection using ldap3 to find dangerous permissions."""

import argparse
import json
import struct

from ldap3 import Server, Connection, ALL, NTLM, SUBTREE


DANGEROUS_MASKS = {
    "GenericAll": 0x10000000,
    "GenericWrite": 0x40000000,
    "WriteDACL": 0x00040000,
    "WriteOwner": 0x00080000,
    "WriteProperty": 0x00000020,
    "Self": 0x00000008,
    "ExtendedRight": 0x00000100,
    "DeleteChild": 0x00000002,
    "Delete": 0x00010000,
}

ADMIN_SIDS = {
    "S-1-5-18",
    "S-1-5-32-544",
    "S-1-5-9",
}

ADMIN_RID_SUFFIXES = {
    "-500",
    "-512",
    "-516",
    "-518",
    "-519",
    "-498",
}

ATTACK_PATHS = {
    "GenericAll": {
        "user": "Full control allows password reset, Kerberoasting via SPN, or shadow credential attack",
        "group": "Full control allows adding arbitrary members to the group",
        "computer": "Full control allows resource-based constrained delegation attack",
        "organizationalUnit": "Full control allows linking malicious GPO or moving objects",
    },
    "WriteDACL": {
        "user": "Can modify DACL to grant self GenericAll, then reset password",
        "group": "Can modify DACL to grant self write membership, then add self",
        "computer": "Can modify DACL to grant self full control on machine account",
        "organizationalUnit": "Can modify DACL to gain control over OU child objects",
    },
    "WriteOwner": {
        "user": "Can take ownership then modify DACL to escalate privileges",
        "group": "Can take ownership of group then modify membership",
        "computer": "Can take ownership then configure delegation abuse",
        "organizationalUnit": "Can take ownership then control OU policies",
    },
    "GenericWrite": {
        "user": "Can write scriptPath for logon script execution or modify SPN for Kerberoasting",
        "group": "Can modify group attributes including membership",
        "computer": "Can write msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD attack",
        "organizationalUnit": "Can modify OU attributes and link GPO",
    },
}


def is_admin_sid(sid: str, domain_sid: str) -> bool:
    if sid in ADMIN_SIDS:
        return True
    for suffix in ADMIN_RID_SUFFIXES:
        if sid == domain_sid + suffix:
            return True
    return False


def parse_sid(raw: bytes) -> str:
    if len(raw) < 8:
        return ""
    revision = raw[0]
    sub_auth_count = raw[1]
    authority = int.from_bytes(raw[2:8], byteorder="big")
    subs = []
    for i in range(sub_auth_count):
        offset = 8 + i * 4
        if offset + 4 > len(raw):
            break
        subs.append(struct.unpack("<I", raw[offset:offset + 4])[0])
    return f"S-{revision}-{authority}-" + "-".join(str(s) for s in subs)


def parse_acl(descriptor_bytes: bytes) -> list:
    aces = []
    if len(descriptor_bytes) < 20:
        return aces
    revision = descriptor_bytes[0]
    control = struct.unpack("<H", descriptor_bytes[2:4])[0]
    dacl_offset = struct.unpack("<I", descriptor_bytes[16:20])[0]
    if dacl_offset == 0 or dacl_offset >= len(descriptor_bytes):
        return aces
    dacl = descriptor_bytes[dacl_offset:]
    if len(dacl) < 8:
        return aces
    acl_size = struct.unpack("<H", dacl[2:4])[0]
    ace_count = struct.unpack("<H", dacl[4:6])[0]
    offset = 8
    for _ in range(ace_count):
        if offset + 4 > len(dacl):
            break
        ace_type = dacl[offset]
        ace_flags = dacl[offset + 1]
        ace_size = struct.unpack("<H", dacl[offset + 2:offset + 4])[0]
        if ace_size < 4 or offset + ace_size > len(dacl):
            break
        if ace_type in (0x00, 0x05):
            if offset + 8 <= len(dacl):
                access_mask = struct.unpack("<I", dacl[offset + 4:offset + 8])[0]
                sid_offset = offset + 8
                if ace_type == 0x05:
                    sid_offset = offset + 8 + 32
                if sid_offset < offset + ace_size:
                    sid_bytes = dacl[sid_offset:offset + ace_size]
                    sid_str = parse_sid(sid_bytes)
                    matched_perms = []
                    for perm_name, mask_val in DANGEROUS_MASKS.items():
                        if access_mask & mask_val:
                            matched_perms.append(perm_name)
                    if matched_perms:
                        aces.append({
                            "ace_type": "ACCESS_ALLOWED" if ace_type in (0x00, 0x05) else "OTHER",
                            "access_mask": f"0x{access_mask:08x}",
                            "trustee_sid": sid_str,
                            "permissions": matched_perms,
                        })
        offset += ace_size
    return aces


def resolve_sid(conn: Connection, base_dn: str, sid: str) -> str:
    try:
        conn.search(base_dn, f"(objectSid={sid})", attributes=["sAMAccountName", "cn"])
        if conn.entries:
            entry = conn.entries[0]
            return str(entry.sAMAccountName) if hasattr(entry, "sAMAccountName") else str(entry.cn)
    except Exception:
        pass
    return sid


def get_domain_sid(conn: Connection, base_dn: str) -> str:
    conn.search(base_dn, "(objectClass=domain)", attributes=["objectSid"])
    if conn.entries:
        raw = conn.entries[0].objectSid.raw_values[0]
        return parse_sid(raw)
    return ""


def analyze_acls(dc_ip: str, domain: str, username: str, password: str,
                 target_ou: str) -> dict:
    server = Server(dc_ip, get_info=ALL, use_ssl=False)
    domain_parts = domain.split(".")
    base_dn = ",".join(f"DC={p}" for p in domain_parts)
    search_base = target_ou if target_ou else base_dn
    ntlm_user = f"{domain}\\{username}"

    conn = Connection(server, user=ntlm_user, password=password,
                      authentication=NTLM, auto_bind=True)
    domain_sid = get_domain_sid(conn, base_dn)

    conn.search(
        search_base,
        "(|(objectClass=user)(objectClass=group)(objectClass=computer)(objectClass=organizationalUnit))",
        search_scope=SUBTREE,
        attributes=["distinguishedName", "sAMAccountName", "objectClass", "nTSecurityDescriptor"],
    )

    findings = []
    objects_scanned = 0
    sid_cache = {}

    for entry in conn.entries:
        objects_scanned += 1
        dn = str(entry.distinguishedName)
        obj_classes = [str(c) for c in entry.objectClass.values] if hasattr(entry, "objectClass") else []
        obj_type = "unknown"
        for oc in obj_classes:
            if oc.lower() in ("user", "group", "computer", "organizationalunit"):
                obj_type = oc.lower()
                break

        if not hasattr(entry, "nTSecurityDescriptor"):
            continue
        raw_sd = entry.nTSecurityDescriptor.raw_values
        if not raw_sd:
            continue
        sd_bytes = raw_sd[0]
        aces = parse_acl(sd_bytes)

        for ace in aces:
            trustee_sid = ace["trustee_sid"]
            if is_admin_sid(trustee_sid, domain_sid):
                continue
            if trustee_sid not in sid_cache:
                sid_cache[trustee_sid] = resolve_sid(conn, base_dn, trustee_sid)
            trustee_name = sid_cache[trustee_sid]

            for perm in ace["permissions"]:
                if perm in ("Delete", "DeleteChild", "Self", "WriteProperty", "ExtendedRight"):
                    severity = "medium"
                else:
                    severity = "critical"
                attack = ATTACK_PATHS.get(perm, {}).get(obj_type,
                         f"{perm} on {obj_type} may allow privilege escalation")
                findings.append({
                    "severity": severity,
                    "target_object": dn,
                    "target_type": obj_type,
                    "trustee": trustee_name,
                    "trustee_sid": trustee_sid,
                    "permission": perm,
                    "access_mask": ace["access_mask"],
                    "ace_type": ace["ace_type"],
                    "attack_path": attack,
                    "remediation": f"Remove {perm} ACE for {trustee_name} on {dn}",
                })

    conn.unbind()
    findings.sort(key=lambda f: 0 if f["severity"] == "critical" else 1)
    return {
        "domain": domain,
        "domain_sid": domain_sid,
        "search_base": search_base,
        "objects_scanned": objects_scanned,
        "dangerous_aces_found": len(findings),
        "findings": findings,
    }


def main():
    parser = argparse.ArgumentParser(description="Active Directory ACL Abuse Analyzer")
    parser.add_argument("--dc-ip", required=True, help="Domain Controller IP address")
    parser.add_argument("--domain", required=True, help="AD domain name (e.g., corp.example.com)")
    parser.add_argument("--username", required=True, help="Domain username for LDAP bind")
    parser.add_argument("--password", required=True, help="Domain user password")
    parser.add_argument("--target-ou", default=None,
                        help="Target OU distinguished name to scope the search")
    parser.add_argument("--output", default=None, help="Output JSON file path")
    args = parser.parse_args()

    result = analyze_acls(args.dc_ip, args.domain, args.username,
                          args.password, args.target_ou)
    report = json.dumps(result, indent=2)
    if args.output:
        with open(args.output, "w") as f:
            f.write(report)
    print(report)


if __name__ == "__main__":
    main()
Keep exploring