Self-Membership

Self-Membership

Self-Membership : Ability to add yourself to a group. If you have Self-Membership on group, you can add yourself to the group.

Enumeration

PowerView

Self-Membership Enumeration

We will get current user’s sid by executing whoami /user, import powerview, then execute the below command to get the list of objects on which we have Self-Membership right.

Command

get-objectacl -resolveguids | ? {($_.securityidentifier -eq "[our_current_user_sid]") -and ($_.objectacetype -like "*self-membership*")}

Below image shows the current user usman has Self-Membership right on Domain Admins group.

BloodHound

We can also get thesame result using bloodhound.

Below image shows the current user usman has Self-Membership right on Domain Admins group.

Exploitation

Let’s check our current group.

Here usman is a member of Domain Users group. We are going to exploit Self-Membership to add usman to Domain Admins group.

PowerView

Since we have Self-Membership right on Domain Admins group, we can add usman to the group by executing the below command

Command

add-domaingroupmember -identity "Domain Admins" -members usman

Let’s check it by executing get-netgroup -memberidentity usman

As you can see, usman has been added to Domain Admins group.

References

• https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse