Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / AddMember

Matrix

AddMember is only as dangerous as the group being modified. The same edge can be low-impact on a reporting group or domain-compromising on a delegated administration group.

TargetRequired rightAbuse pathLinux toolingWindows toolingResponse focus
Security groupAddMember / WriteMembersAdd controlled user to the groupbloodyAD add groupMember, net rpc group addmemPowerView Add-DomainGroupMember, AD module Add-ADGroupMemberRemove the added member and review group membership changes
Local admin delegation groupAddMember / WriteMembersAdd controlled user, refresh token, access delegated hostsbloodyAD, nxc smb validationPowerView plus runas, WinRM, RDP, SMB validationRemove membership and review local admin propagation
Remote access groupAddMember / WriteMembersAdd controlled user, then use WinRM/RDP/SMB if policy allows itevil-winrm, nxc winrm, xfreerdpEnter-PSSession, mstsc, SMB toolsRemove membership and review logon events
SQL/application groupAddMember / WriteMembersAdd controlled user to inherit app or database rightsbloodyAD, app-specific clientsPowerView, native app clientsRemove membership and rotate exposed application secrets if accessed
Privileged AD groupAddMember / WriteMembersAdd controlled user to gain directory controlbloodyAD, net rpcPowerView, AD moduleRemove membership, investigate privilege escalation, invalidate active sessions