Missing Collection of Group Add/Remove Self As Member

[godylockz]

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#self-self-membership-on-group
Self (Self-Membership) - ability to add yourself to a group

In Security Settings:
Permission: Add/remove self as member
Permission: All validated writes

This could be hidden privilege as a "member of a privileged group" and be missed in BloodHound path tracing.

In dsacls.exe, it comes up as:
SPECIAL ACCESS
WRITE SELF

[JonasBK]

Hi!

We do have an AddSelf edge which should cover that: https://support.bloodhoundenterprise.io/hc/en-us/articles/17358095502363-AddSelf
Have you experienced that the edge is not created when this permission is granted?

[godylockz]

Hi!

We do have an AddSelf edge which should cover that: https://support.bloodhoundenterprise.io/hc/en-us/articles/17358095502363-AddSelf Have you experienced that the edge is not created when this permission is granted?

The permission is not captured in any SharpHound collector agent.
I have tried bloodhound-python, multiple SharpHound versions, and crackmapexec as well.

Any help is appreciated debugging the problem.

[JonasBK]

@godylockz provided details about the environment in a private chat. Thanks a lot @godylockz!

The AddSelf edge is created when a principal is granted the "Add/remove self as member" privilege. That ACE looks like this:

ObjectDN              : CN=T0_Admins,OU=Groups,OU=Tier0,DC=dumpster,DC=fire
InheritedObject       : 
Object                : Member
ActiveDirectoryRights : Self
InheritanceType       : None
ObjectType            : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : DUMPSTER\addself
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

When selecting "All validated writes" in the UI, the "Add/remove self as member" is automatically selected as well. However, no entry in the Aces list in the SharpHound output is created for the principal and therefore no AddSelf edge (or any other edges).

I have confirmed that this "All validated writes" permission indeed allows the principal to add themselves to the group, and does not allow you to add any other members. The ACE looks the same except that the member attribute is not specified:

ObjectDN              : CN=T0_Admins,OU=Groups,OU=Tier0,DC=dumpster,DC=fire
InheritedObject       : 
Object                : 
ActiveDirectoryRights : Self
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DUMPSTER\addself
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

I think we should create a new edge as the ACE is different. Also, we should investigate what else this ACE allows you to do on other objects. Here is some more documentation: https://learn.microsoft.com/en-us/windows/win32/adschema/validated-writes