Add Member

Description

The Source security principal can add itself (validated write right), or anyone (write property right), to the members of the Target group and benefit from the access rights given to the group.

A malicious security principal performing this operation would create a "Member of" attack relation.

Exploitation

Attackers who compromise the Source security principal only have to edit the "members" attribute of the Target group through native Windows commands such as "net group /domain", PowerShell such as "Add-ADGroupMember", administration tools such as "Active Directory Users and Computers", or dedicated hacker tools such as PowerSploit.

Remediation

If the Source security principal does not need the right to add a member to the Target group, then you must remove this permission.

To modify the security descriptor of the Target group:

  1. In "Active Directory Users and Computers", right-click Properties > Security.

  2. Remove permissions such as "Write Members", "Write all properties", "Full control", "All validated writes", "Add/remove self as member", etc.

Note: A group can inherit permission from an object higher in the Active Directory tree.

See also