ACL Abuse Havoc, a BOF toolkit for AD ACL exploitation via Havoc C2
Active Directory environments are riddled with ACL misconfigurations. GenericAll on a user account, WriteDacl on a group, GenericWrite on a computer object - these are the paths that turn a low-privileged foothold into domain admin. Tools like BloodHound map these relationships, but exploiting them from a C2 beacon has always required either dropping binaries to disk or running external tooling that breaks opsec.
There was no native ACL abuse toolkit for Havoc C2, so we built one. acl-abuse-havoc is a BOF (Beacon Object File) toolkit that runs eight common ACL abuse primitives entirely in-memory, with no disk touches and no external dependencies.
What is inside
The toolkit covers the ACL abuse paths we encounter most frequently on engagements:
- acl-shadow - Shadow Credentials attack chain (GenericWrite/GenericAll). RSA keypair generation, KeyCredential write, PKINIT, NT hash extraction, cleanup. Runs in under 5 seconds.
- acl-fcp - ForceChangePassword via LDAPS.
- acl-addmember - Add a user to a group (WriteMembers/GenericAll).
- acl-owner - Take ownership of an object via WriteOwner over LDAPS.
- acl-rbcd - Resource-Based Constrained Delegation abuse (GenericWrite on computer).
- acl-dcsync - DCSync via WriteDacl on the domain object. Drops DS-Replication-Get-Changes and DS-Replication-Get-Changes-All in one shot.
- acl-genericall - GenericAll abuse via WriteDacl modification.
- acl-ace - Write a custom ACE with arbitrary access mask, type, and flags.
acl-shadow
Shadow Credentials is one of the most reliable privilege escalation paths in AD environments running AD CS. The chain involves writing a KeyCredential to a target object, authenticating via PKINIT to obtain a TGT, and extracting the NT hash from the PAC. Existing tools like Rubeus and Certipy handle this well, but neither runs as a native BOF inside Havoc. acl-shadow fills that gap.
The full chain runs as a single BOF:
- LDAP lookup to resolve target DN and objectSid.
- In-process 2048-bit RSA keypair generation.
- Self-signed certificate with UPN SAN and SID URL (KB5014754 compliance).
- msDS-KeyCredentialLink blob construction per MS-ADTS section 2.2.20.
- LDAP write to add the KeyCredential to the target object.
- PKINIT AS-REQ with PA-PK-AS-REQ and DH key exchange (MODP Group 2).
- AS-REP reply key derivation via kTruncate (RFC 4556 section 3.2.3.1).
- U2U TGS-REQ to obtain a service ticket encrypted with the session key.
- PAC_CREDENTIAL_INFO decryption to extract the NT hash.
- Cleanup - removes the KeyCredential from msDS-KeyCredentialLink.
Write to cleanup takes under 5 seconds. Encryption type negotiation handles AES256-CTS-HMAC-SHA1-96, AES128-CTS-HMAC-SHA1-96, and RC4-HMAC automatically. Target requirements: Windows Server 2016+ DC and AD CS with the Kerberos Authentication certificate template.
Opsec considerations
acl-shadow touches two protocols: LDAP for the KeyCredential write/delete and Kerberos for the PKINIT + U2U exchange. The LDAP write generates Event 5136 (directory object modified) on the target's msDS-KeyCredentialLink attribute. The PKINIT authentication generates Event 4768 with certificate information. The cleanup removes the attribute value, but the 5136 for the initial write is already logged.
The short window between write and cleanup makes real-time detection harder, but forensic analysis will still see both events. Nothing is written to disk - the RSA keypair, certificate, and PFX all live in process memory for the duration of BOF execution.
Getting started
Build requires mingw-w64 (x64 only). Clone the repo, run make, and load acl-abuse.py via Script Manager in the Havoc client. All commands accept an optional DC argument - omit it and the DC is auto-discovered via DsGetDcNameW.
The project is open-source and available at github.com/OFFCEPT/acl-abuse-havoc.