BloodHound icon indicating copy to clipboard operation
BloodHound copied to clipboard
verified publisher icon SpecterOps

Feature: WriteLogonScript ACL support

Open ncha-syn opened this issue 2 months ago • 1 comments

Feature Description

Currently, the "scriptPath" attribute's ACEs are not collected.

Are you intending to implement this feature?

Yes

Current Behavior

There would be a new edge "WriteLogonScript".

Desired Behavior

It would extend bloodhound capabilities and support a new edge.

Use Case

This PR adds a missing edge to comprise users.

Implementation Suggestions

Additional Information

ncha-syn avatar Nov 12 '25 16:11 ncha-syn

Hi @ncha-syn, thank you for the PRs!

It's a good idea. We discussed it internally and would love to see it implemented if there is a reliable abuse mechanism.

Do you have an example of such?

I found two blogs about it, but both fail to demonstrate an abuse mechanism as they require writing a script to NETLOGON, i.e., not viable:

  • https://medium.com/@muneebnawaz3849/writescriptpath-abuse-in-active-directory-cb5945848a51
  • https://happycamper84.medium.com/the-scriptpath-attribute-another-incredibly-arcane-windows-privilege-5bf4f3dcd8c4

The second also states:

Personally I had issues getting a logon script to run unless it was in NETLOGON. However given what Microsoft and Google say I would not take this as definitive that logon scripts will only run out of NETLOGON.

martinsohn avatar Nov 14 '25 14:11 martinsohn

Hi @ncha-syn, any update on a PoC writeup?

I attempted to reproduce your abuse guidance but failed.

I followed this approach:

  1. On the domain-joined AttackerHost, created \\AttackerHost\\share and added run_at_logon.exe
  2. On the domain-joined VictimHost, as an administrator, started Wireshark & Procmon on VictimHost (RDP session)
  3. Set VictimUser's ScriptPath to \\AttackerHost_IP\\share\\run_at_logon.exe
  4. On VictimHost, logged in with VictimUser (console logon)

I got no execution, no Wireshark packets, and no Procmon activity for VictimUser.

I've also tried using FQDN (\\AttackerHost.domain.local\share\run_at_logon.exe) and hostname (\\AttackerHost\share\run_at_logon.exe) with no success.

Please let me know if I'm doing something different than you, thank you :)

Note: Bear in mind that we also cannot accept the commits as-is (check out the comments by coderabbitai), for example, there is text unrelated to this attack: "The tool will automatically attempt a targetedKerberoast attack, either on all users or against a..."

martinsohn avatar Dec 15 '25 18:12 martinsohn