AddMember is only as dangerous as the group being modified. The same edge can be low-impact on a reporting group or domain-compromising on a delegated administration group.
| Target | Required right | Abuse path | Linux tooling | Windows tooling | Response focus |
|---|---|---|---|---|---|
| Security group | AddMember / WriteMembers | Add controlled user to the group | bloodyAD add groupMember, net rpc group addmem | PowerView Add-DomainGroupMember, AD module Add-ADGroupMember | Remove the added member and review group membership changes |
| Local admin delegation group | AddMember / WriteMembers | Add controlled user, refresh token, access delegated hosts | bloodyAD, nxc smb validation | PowerView plus runas, WinRM, RDP, SMB validation | Remove membership and review local admin propagation |
| Remote access group | AddMember / WriteMembers | Add controlled user, then use WinRM/RDP/SMB if policy allows it | evil-winrm, nxc winrm, xfreerdp | Enter-PSSession, mstsc, SMB tools | Remove membership and review logon events |
| SQL/application group | AddMember / WriteMembers | Add controlled user to inherit app or database rights | bloodyAD, app-specific clients | PowerView, native app clients | Remove membership and rotate exposed application secrets if accessed |
| Privileged AD group | AddMember / WriteMembers | Add controlled user to gain directory control | bloodyAD, net rpc | PowerView, AD module | Remove membership, investigate privilege escalation, invalidate active sessions |