What starting position does this attack require?

The first step is Token now contains DA SID (T1078) — a initial access primitive. Assumed environment: typically a legacy ACL granted Account Operators / a service principal WriteProperty on `member`.

What is the final impact of this kill-chain?

The final step lands on Add attacker to Domain Admins (AD-DACL-ADDMEMBER), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

GenericWrite on Domain Admins → AddMember → DA

A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Token now contains DA SID

T1078 · Valid Accounts

Re-auth (klist purge) to pick up the new group membership.

Initial Access

Compromised principal w/ GenericWrite on group

T1078 · Valid Accounts

Discovery

Identify writable group

AD-BLOODHOUND · BloodHound / SharpHound Enumeration

BloodHound 'AddMember' / 'GenericWrite' edge against Domain Admins.

Credential Access

DCSync

T1003.006 · DCSync

Privilege Escalation

Add attacker to Domain Admins

AD-DACL-ADDMEMBER · AddMember (WriteProperty on member)

net group 'Domain Admins' <me> /add /domain (or via ldapmodify)

§ Context

Assumed environment: typically a legacy ACL granted Account Operators / a service principal WriteProperty on `member`. Often invisible to standard audits because no group GUI shows the right.

§ Steps

01
Token now contains DA SIDInitial Access
T1078— Valid Accounts
Re-auth (klist purge) to pick up the new group membership.
02
Compromised principal w/ GenericWrite on groupInitial Access
T1078— Valid Accounts
03
Identify writable groupDiscovery
AD-BLOODHOUND— BloodHound / SharpHound Enumeration
BloodHound 'AddMember' / 'GenericWrite' edge against Domain Admins.
04
DCSyncCredential Access
T1003.006— DCSync
05
Add attacker to Domain AdminsPrivilege Escalation
AD-DACL-ADDMEMBER— AddMember (WriteProperty on member)
net group 'Domain Admins' <me> /add /domain (or via ldapmodify)

§ References

T1078Valid Accounts
T1003.006DCSync

§ Frequently asked

What is the "GenericWrite on Domain Admins → AddMember → DA" attack path?: A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Token now contains DA SID (T1078) — a initial access primitive. Assumed environment: typically a legacy ACL granted Account Operators / a service principal WriteProperty on `member`.
What is the final impact of this kill-chain?: The final step lands on Add attacker to Domain Admins (AD-DACL-ADDMEMBER), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

GenericWrite on Domain Admins → AddMember → DA

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Unconstrained delegation → Capture DC TGT → DCSync

Leaked legacy VPN credential → ransomware (Colonial-class)

Citrix Bleed → steal authenticated session → MFA bypass

mitm6 IPv6 SLAAC → NTLM relay → DA

LAPS read → local admin on every endpoint

PetitPotam + ADCS ESC8 → Domain Controller takeover