Skip to content

My Hacking Notes

LDAP Checks

AD LDAP Privileges, Attributes, and Attack Paths¶

Use as a reference for relationships discovered using Bloodhound

GenericAll (User/Computer)¶

`msDS-KeyCredentialLink` (User/Computer)¶

Shadow Credentials

`servicePrincipalName` (User/Computer)¶

Kerberoast - SPN hijack (add/take SPNs)

`userAccountControl` (User)¶

AS‑REP roast - set DONT_REQ_PREAUTH (note: some delegation flags require SeEnableDelegationPrivilege)

`msDS-AllowedToActOnBehalfOfOtherIdentity` (Computer)¶

Resource-Based Constrained Delegation (RBCD) (impersonate users to target services)

`GenericWrite` (User/Computer)¶

`msDS-KeyCredentialLink` (User/Computer)¶

Shadow Credentials

`servicePrincipalName` (User/Computer)¶

Kerberoast - SPN hijack

`userAccountControl` (User)¶

AS‑REP roast - flip preauth off (delegation flags typically need SeEnableDelegationPrivilege)

`msDS-AllowedToActOnBehalfOfOtherIdentity` (Computer)¶

Resource-Based Constrained Delegation (RBCD)

`msDS-SupportedEncryptionTypes` (User/Computer)¶

Bias/force RC4 to ease Kerberoast

`mS-DS-ConsistencyGuid` (User)¶

Potential Entra ID account link hijack (if used as sourceAnchor)

`altSecurityIdentities` (User)¶

Certificate mapping abuses → AD CS Abuse

`WriteProperty: All properties` (User/Computer)¶

`msDS-KeyCredentialLink` (User/Computer)¶

Shadow Credentials

`servicePrincipalName` (User/Computer)¶

Kerberoast - SPN hijack

`userAccountControl` (User)¶

AS‑REP roast - flip preauth off (delegation flags typically need SeEnableDelegationPrivilege)

`msDS-AllowedToActOnBehalfOfOtherIdentity` (Computer)¶

Resource-Based Constrained Delegation (RBCD)

`msDS-SupportedEncryptionTypes` (User/Computer)¶

Force weak crypto (RC4) → Kerberoast

`WriteProperty(msDS-KeyCredentialLink)` (User/Computer)¶

`msDS-KeyCredentialLink` (User/Computer)¶

Shadow Credentials

`WriteDACL` (aka `WriteDacl`) (User/Computer/Group/GPO/OU/Domain)¶

User/Computer object¶

Grant self WriteProperty(msDS-KeyCredentialLink) → Shadow Credentials
Grant self SPN write or ResetPassword → Kerberoast / account takeover

Domain naming context (domainDNS object)¶

Grant DS‑Replication Get‑Changes* → DCSync (hash dump, Golden)

Group object¶

Grant WriteProperty(member) → add self/others to privileged groups

GPO / OU¶

Grant GPO edit or gPLink write → code exec via GPO / link malicious GPO

`CN=AdminSDHolder,CN=System,<domain>` (container)¶

Backdoor ACEs to persist control over protected accounts/groups

`WriteOwner` (User/Computer/Group/GPO/OU/Domain)¶

Any object (take ownership first)¶

Take ownership → add WriteDACL/GenericWrite → perform abuses above
Persistence by planting backdoor ACEs after ownership

`WriteProperty(member)` (Group)¶

`member` (Group)¶

Add self to Domain Admins / server admin groups (immediate elevation)
Add backdoor members for persistence

Replication rights (Domain NC)¶

`DS‑Replication‑Get‑Changes` / `...‑All` / `...‑In‑Filtered‑Set` (Domain)¶

GPO control (GPO object) / `WriteProperty(gPLink)` (OU/Site)¶

GPO (`GenericWrite`/`WriteDACL`) or OU/Site (`gPLink`)¶

Code execution via startup/logon scripts or scheduled tasks (GPO)
Link malicious GPO to targeted OUs

`CreateChild(Computer)` (OU)¶

OU (`CreateChild: Computer`) (+ optional `DeleteChild`/`WriteProperty` on child)¶

AddComputer even if MAQ=0 (when you have OU rights)
Pair with Resource-Based Constrained Delegation (RBCD) if you can set msDS-AllowedToActOnBehalfOfOtherIdentity on targets

Validated write: `servicePrincipalName` (User/Computer)¶

`servicePrincipalName` (User/Computer)¶

Kerberoast within validation constraints
SPN hijack (within validated rules)

Control access: `ResetPassword` (`AllExtendedRights`) (User)¶

`resetPassword` (User)¶

Force password change → account takeover
(Not sufficient for Shadow Credentials by itself)

Control access: Read LAPS / gMSA secrets¶

`ms‑Mcs‑AdmPwd` (Computer; classic LAPS)¶

Read local admin password → lateral movement

`msDS‑ManagedPassword` (gMSA object)¶

Read managed password blob (requires specific control access right) → run as gMSA

`msDS‑GroupMSAMembership` / `PrincipalsAllowedToRetrieveManagedPassword` (gMSA)¶

Identify who can retrieve gMSA password → expand/prioritize targets

Special attribute (domain policy)¶

`ms‑DS‑MachineAccountQuota` (Domain)¶

If > 0, any authenticated user can AddComputer (within quota)
Combine new machine with RBCD or relay to pivot

Additional notable privileges / attributes¶

`WriteProperty(SIDHistory)` (User)¶

Add privileged SIDs to self (rare/misconfig) → instant elevation

DNSAdmins / DNS server control¶

Malicious DNS plugin or AD‑integrated DNS poisoning → credential capture/relay; potential DC code exec

Notes¶

Scope matters: RBCD targets computer objects; Shadow Creds apply to user or computer objects.
Delegation flags: Setting unconstrained or TrustedToAuthForDelegation typically requires SeEnableDelegationPrivilege; object write alone may fail.
Inheritance: Rights on a parent OU applying to descendant User/Computer objects affect all children (mass abuse potential).
Attribute names: msDS-* and ms‑DS-* are distinct ldapDisplayNames; use exact spelling (LDAP is case‑insensitive, but names differ).