A critical misconfiguration in Active Directory’s Discretionary Access Control Lists (DACLs) allows attackers to abuse the AddSelf permission for privilege escalation. By exploiting this, threat actors can add themselves to privileged groups like Domain Admins or Backup Operators, leading to lateral movement, credential theft, and domain compromise. This technique aligns with MITRE ATT&CK framework’s Account Manipulation (T1098) and is detectable through tools like BloodHound and PowerShell modules.
Understanding the AddSelf Vulnerability
The AddSelf permission in Active Directory permits a user to add themselves to a target security group. When applied to high-privilege groups (e.g., Domain Admins), this becomes a vertical privilege escalation vector. Attackers leverage this to gain administrative rights, dump NTLM hashes using tools like Impacket’s secretsdump, or perform Kerberoasting attacks. Organizations with lax DACL auditing are particularly vulnerable.
Detection and Mitigation Strategies
Detecting AddSelf abuse requires monitoring group membership changes and LDAP modifications. Tools like BloodHound can identify vulnerable delegations, while SIEM rules should alert on unexpected additions to privileged groups. Mitigation involves restricting AddSelf delegations, enforcing least privilege, and conducting regular DACL audits. Microsoft’s Active Directory Security Guidelines provide further hardening recommendations.
Enterprise Implications
For enterprises, unchecked AddSelf permissions pose a significant risk to domain integrity. Red teams should include this vector in threat simulations, while blue teams must prioritize monitoring memberOf attribute changes. Proactive measures, such as Microsoft’s AD Assessment Tools, can help identify misconfigurations before exploitation occurs.
