Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / AddMember

Information

AddMember allows one principal to add another principal to a target group. If the group grants access, adding a controlled account to that group grants that access after token refresh or a new logon.

In BloodHound this appears as:

ATTACKER --AddMember--> TARGET GROUP

This edge is dangerous when the target group controls administration, remote access, database access, file access, or a later attack path. It does not need to target Domain Admins to matter. Groups such as Remote Management Users, Remote Desktop Users, SQL Admins, Workstation Admins, and delegated application groups are often enough.

The abuse is straightforward: add a controlled account to the group, refresh the account's token, validate access, and remove the membership when finished.