BloodHound-Relevant ACE Permissions (Access Rights)
| Permission | What It Lets You Do | What You Can’t Do |
|---|---|---|
| GenericAll | Full control over the object — add/remove members, reset passwords, modify ACLs | N/A — this is the highest possible permission |
| GenericWrite | Modify most properties (e.g., member, description, servicePrincipalName) | Can’t edit the object’s DACL or owner |
| WriteOwner | Change the owner of the object → then grant yourself full control via new ACEs | Can’t directly modify the ACL — must combine with WriteDACL to get full control |
| WriteDACL | Modify the object’s ACL (DACL), i.e., add yourself to the permissions list | Can’t change ownership |
| AddMember | Add members to a group | Only works for groups; can’t remove members or do anything else |
| AllExtendedRights | Grants special control rights (e.g., reset password, enable account) | Doesn’t let you modify group membership, ACLs, or execute commands |
| User-Force-Change-Password | Reset someone’s password without knowing the old one | Can’t read the user’s password; only sets a new one |
| Self | Allows changes to certain self-modifiable attributes (like servicePrincipalName) | Highly limited — only useful for certain abuses like RBCD (Resource-Based Constrained Delegation) |
| ReadProperty | Read attributes of an object (e.g., group membership, SPNs, description) | No write access; can’t modify anything |
| WriteProperty | Modify specific attributes (depends on property-specific rights granted) | Can’t change ownership or ACL unless specifically allowed for those attributes |
| Owns Object (ObjectOwner) | The object’s owner always has implicit full rights (even if ACLs say otherwise) | Only relevant if you’re already the owner (or gain ownership using WriteOwner) |
Common Abuse Paths Based on Permissions
| If you have this… | You can… |
|---|---|
GenericAll | Literally anything: reset password, add to groups, set SPNs, RBCD, ACL abuse, etc. |
GenericWrite | Add yourself to groups (member), set SPNs, backdoor accounts, lateral/priv esc. |
WriteOwner | Make yourself the owner → then edit ACL (if you also have WriteDACL) |
WriteDACL | Add your user to the object’s DACL to give yourself GenericAll or other privileges |
AllExtendedRights | Use Set-DomainUserPassword to reset someone’s password without needing old password |
AddMember (on Group) | Add a low-priv account to privileged group (e.g., Domain Admins, local admin group) |
WriteProperty (SPN) | Set SPNs for Kerberoasting, or setup for RBCD abuse |
Self (on computer) | Abuse RBCD by setting msDS-AllowedToActOnBehalfOfOtherIdentity |
What You Cannot Do with Each Permission
| Permission | You Cannot… |
|---|---|
GenericWrite | Change the ACL or ownership of the object |
WriteOwner | Directly change the ACL unless you also have WriteDACL |
WriteDACL | Change the object’s owner (that’s WriteOwner) |
AddMember | Remove users, modify anything else, or use this on non-group objects |
AllExtendedRights | Change group membership, ownership, or ACLs |
Self | Only modifies specific attributes (like SPNs); not general write access |
ReadProperty | You’re just reading — no write, no escalation |
User-Force-Change-Password | You can’t extract passwords — you can only overwrite/reset them |
Bonus: What to Look for in BloodHound
| BloodHound Edge | Underlying Permission | What to Check |
|---|---|---|
AddMember | AddMember on group | Does it target a privileged group (e.g., Domain Admins)? |
ForceChangePassword | AllExtendedRights / User-Force-Change-Password | Can you reset and take over a privileged user? |
GenericWrite | GenericWrite on object | Can you backdoor the object or add to group? |
Owns + WriteDACL | Combo → full control over the object | Set yourself to have GenericAll |
CanRDP, CanPSRemote | Often a result of group membership or ACL config | Can you lateral move via WinRM, RDP, or DCOM? |
Real-World Abuse Example
Let’s say:
- You get
GenericWriteoverDOMAIN ADMINS - You use PowerView:
Add-DomainGroupMember -Identity "DOMAIN ADMINS" -Members backdoor.user
You’re now Domain Admin. Game over.