Member-only story
Abusing AD-DACL: ForceChangePassword
In this post, we explore the exploitation of Discretionary Access Control Lists (DACL) using the ForcePasswordChange permission in Active Directory environments. This permission is especially dangerous for privileged accounts, as it enables lateral movement and unauthorized access across systems by impersonating the compromised account.
The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to ForcePasswordChange attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.
Table of Contents
ForceChangePassword Right
Prerequisites
Lab Setup – User Owns ForceChangePassword Rights
Exploitation – User Owns ForceChangePassword Rights
Bloodhound – Hunting for Weak Permission
Method for Exploitation – Change Password (T1110.001)
Linux Net RPC – Samba
Linux Net RPC – Rpcclient
Linux Net RPC – BloodAD
Windows PowerShell – Powerview
Detection & Mitigation
