# IN\_GROUP

## Summary

|                            |                          |
| -------------------------- | ------------------------ |
| **FSProtect ACL Alias**    | IN\_GROUP                |
| **Affected Object Types**  | Users, Groups, Computers |
| **Exploitation Certainty** | Certain                  |

## Description

`IN_GROUP` permission in an Active Directory environment grants an account membership in a specific domain group, enabling the user—or an attacker who compromises that account—to perform every action allowed by the group’s privileges. This may include managing shared resources, configuring domain-wide settings, or controlling important services. Thus, support teams or application owners gain the exact privileges needed at the domain level without holding full administrative rights (e.g., Domain Admin), ensuring a more controlled and secure delegation model.

However, if misconfigured or inadequately managed, `IN_GROUP` can lead to critical security risks. A malicious actor who obtains unauthorized membership in a high-privilege domain group could access or modify sensitive data, disrupt key services, and potentially establish persistent administrator-level control over the domain. Consequently, regularly auditing these memberships and granting them only to necessary accounts are essential steps to maintain a secure and resilient Active Directory infrastructure.

## Identification

### PowerShell

#### Active Directory Module

Using the ActiveDirectory PowerShell module, you can enumerate group membership information for all groups or a specific group in the domain.

Function: Find-IN\_GROUP

```powershell
function Find-IN_GROUP {
    [CmdletBinding()]
    param ( [string]$GroupDN = $null, [string]$OutputPath = "ADGroupsMembers.csv")
    Import-Module ActiveDirectory -ErrorAction Stop
    $results = @()
    try {
        if ($GroupDN) {
            Write-Host "Scanning specific group: $GroupDN"
            $memberNames = (Get-ADGroupMember -Identity $GroupDN -ErrorAction SilentlyContinue |
                            Select-Object -ExpandProperty Name) -join ';'
            $results += [PSCustomObject]@{
                GroupName = $GroupDN
                Members   = $memberNames
            }
        }
        else {
            Write-Host "Scanning all groups in the domain..."
            $groups = Get-ADGroup -Filter * -ErrorAction Stop
            foreach ($group in $groups) {
                $memberNames = (Get-ADGroupMember -Identity $group.DistinguishedName -ErrorAction SilentlyContinue |
                                Select-Object -ExpandProperty Name) -join ';'
                $results += [PSCustomObject]@{
                    GroupName = $group.Name
                    Members   = $memberNames
                }
            }
        }
    }
    catch {
        Write-Error "Failed to enumerate groups: $($_.Exception.Message)"
        return
    }
    if ($results.Count -gt 0) {
        Write-Host "Found $($results.Count) group record(s)."
        try {
            $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 -ErrorAction Stop
            Write-Output "Results exported successfully to '$OutputPath'"
        }
        catch { Write-Error "Failed to export results to CSV file '$OutputPath': $($_.Exception.Message)" }
    }
    else { Write-Output "No groups or members found."}
}
```

Usage Examples:

**1.** Scan all groups in the domain

```powershell
Find-IN_GROUP
```

**2.** Scan a specific group by Distinguished Name

```powershell
Find-IN_GROUP -GroupDN "CN=Administrators,CN=Builtin,DC=forestall,DC=labs"
```

**3.** Save results to a custom location

```powershell
Find-IN_GROUP -OutputPath "C:\Temp\GroupMembers.csv"
```

#### Active Directory Users and Computers (GUI)

**1.** Open Active Directory Users and Computers.

**2.** Double-click on the Group.

**3.** In the Properties window, navigate to the Members tab.

**4.** Review the list of Users and Groups.

**5.** Click OK to close.

## Exploitation

This permission can be exploitable on Windows systems , while on Linux systems, tools such as impacket tools can be effectively used for exploitation.

The impact of IN\_GROUP depends on which group the attacker is added to:

### Windows

* **Account Operators — Password Reset / Account Takeover** Members can reset passwords or re-enable most non-admin accounts, enabling identity takeover, mailbox/file access, and pivots via inherited permissions. AdminSDHolder-protected accounts are typically excluded. Reference: [ForceChangePassword](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/ForceChangePassword/README.md)
* **Backup Operators — Extract Directory Secrets via Backup Privileges** Members can back up system state or NTDS.dit to recover credential material offline. Note: **DCSync is *****not***** granted by this membership**—it requires explicit replication rights (GetChanges\*/GetChangesAll) on the domain. Reference: [SeBackupPrivilege](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#backup-operators)
* **Server Operators — Powerful Local Control on DCs (member servers only if delegated)** On **domain controllers**, members can manage services, files, and shares—often enough to reach SYSTEM, execute arbitrary code, and harvest credentials. On **member servers**, similar power exists only where explicitly granted (e.g., via GPO or local group mapping). Reference: [ADMIN\_TO](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/ADMIN_TO/README.md)
* **Print Operators — Logon on DCs / Local Escalation Vector** Members can interactively sign in to DCs and administer the print subsystem. Local DC access increases opportunities to exploit machine-local issues (e.g., driver loading paths) or harvest privileged tokens. Reference: [HAS\_SESSION](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/HAS_SESSION/README.md)
* **Domain Admins — Unfettered Domain Control** Full control of domain policy, users, computers, and DCs. Adversaries can alter ACLs, push GPO-based persistence, and disable defenses—effectively owning domain-joined assets. Reference: [GenericAll](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/GenericAll/README.md)
* **Enterprise Admins — Forest-Wide Authority** Superset of Domain Admin across all domains in the forest: can push cross-domain changes, create new domains, and modify enterprise-wide configuration for durable, stealthy persistence. Reference: [GenericAll](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/GenericAll/README.md)
* **Schema Admins — Directory Schema Control** Can modify classes/attributes that define directory behavior. Abuse can add backdoor attributes or expand rights surfaces that replicate forest-wide and persist beyond typical remediation. Reference: [GenericAll](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/GenericAll/README.md)
* **Group Policy Creator Owners — Malicious GPO Creation** Members can create new GPOs carrying attacker-controlled scripts, tasks, or registry changes. If another principal links those GPOs, they become a powerful, repeatable execution/persistence mechanism. Reference: [GPOWrite](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/GPOWrite/README.md)
* **BUILTIN\Administrators — Local Admin on DCs/Servers** Grants full local control wherever the group applies (including DCs). From that foothold, an attacker can run as SYSTEM, harvest secrets, and reconfigure security tooling—often leading to domain compromise. Reference: [ADMIN\_TO](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/ADMIN_TO/README.md)
* **Remote Desktop Users — Interactive Access for Pivoting** Members can obtain RDP sessions to run tools, collect credentials, and move laterally—**provided RDP is enabled and policy allows logon**. Interactive sessions also inherit user-context trusts (mapped drives, saved creds, delegated tokens). Reference: [CAN\_RDP](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/CAN_RDP/README.md)
* **Remote Management Users — PowerShell Remoting Execution** Enables remote command execution over WinRM/PowerShell Remoting where the service/policy is enabled. Useful for “living off the land” lateral movement that blends with admin activity. Reference: [CAN\_EXEC\_PWSH](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/CAN_EXEC_PWSH/README.md)
* **Distributed COM Users — DCOM-Based Remote Execution** Grants remote activation/launch rights that can translate to code execution **on COM servers whose security descriptors permit it**. Useful where RDP/WinRM are limited or closely monitored. Reference: [CAN\_EXEC\_DCOM](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/CAN_EXEC_DCOM/README.md)

## Mitigation

You can mitigate `IN_GROUP` with following steps:

**1.** Open `Active Directory Users and Computers`.

**2.** Double-click on the Group.

**3.** In the Properties window, navigate to the `Members` section.

**4.** In the Members list, locate and remove Users and Groups.

**5.** Click OK to close the dialogs.

![Active Directory Users and Computers](/files/3hJkQhEowOggHbLZlatl)

## Detection

Adding new Access Control Entries on the Active Directory objects changes the `ntSecurityDescriptor` attribute of the objects themselves. These changes can be detected with the 5136 and 4662 Event ID's to identify dangerous modifications.

| Event ID | Description                              | Fields/Attributes      | References                                                                                 |
| -------- | ---------------------------------------- | ---------------------- | ------------------------------------------------------------------------------------------ |
| 5136     | A directory service object was modified. | ntSecurityDescriptor   | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136> |
| 4662     | An operation was performed on an object. | AccessList, AccessMask | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662> |

## References

* [Understand Security Groups (Windows Server) - Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups)
* [Active Directory Groups - SolarWinds](https://www.solarwinds.com/resources/it-glossary/active-directory-groups)
* [Privileged Accounts and Token Privileges - iRed Team](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/ad/in_group.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.