-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing Collection of Group Add/Remove Self As Member #70
Comments
Hi! We do have an AddSelf edge which should cover that: https://support.bloodhoundenterprise.io/hc/en-us/articles/17358095502363-AddSelf |
The permission is not captured in any SharpHound collector agent. Any help is appreciated debugging the problem. |
@godylockz provided details about the environment in a private chat. Thanks a lot @godylockz! The AddSelf edge is created when a principal is granted the "Add/remove self as member" privilege. That ACE looks like this:
When selecting "All validated writes" in the UI, the "Add/remove self as member" is automatically selected as well. However, no entry in the I have confirmed that this "All validated writes" permission indeed allows the principal to add themselves to the group, and does not allow you to add any other members. The ACE looks the same except that the member attribute is not specified:
I think we should create a new edge as the ACE is different. Also, we should investigate what else this ACE allows you to do on other objects. Here is some more documentation: https://learn.microsoft.com/en-us/windows/win32/adschema/validated-writes |
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#self-self-membership-on-group
Self (Self-Membership) - ability to add yourself to a group
In Security Settings:
Permission: Add/remove self as member
Permission: All validated writes
This could be hidden privilege as a "member of a privileged group" and be missed in BloodHound path tracing.
In dsacls.exe, it comes up as:
SPECIAL ACCESS
WRITE SELF
The text was updated successfully, but these errors were encountered: