Primary Group ID Attack in Active Directory: How to Defend Against Related Threats
The Primary Group ID in Active Directory, created to help manage access to sensitive resources, has become a critical vulnerability that attackers can exploit to escalate privileges without leaving a trace.
The Primary Group ID in Active Directory was originally developed to support the UNIX POSIX model and integration for controlling access to resources. Traditionally, the PrimaryGroupID attribute for a user needed to match the RID (or relative identifier) of the group with which the user must be associated. By default, all Active Directory users have a PrimaryGroupID of 513, which is associated with the Domain Users group.
However, if the user needed to be seen as a Domain Admin for POSIX, the PrimaryGroupID needed to be 512, the RID for that group. The Enterprise Admins group, 519, is also used to grant this level in POSIX.
The caveat is that Active Directory’s built-in management tools, the AD Users and Controls (ADUC), require users to have membership in the group used for the PrimaryGroupID, so a standard user could not be seen as a privileged user without actually being in the privileged group. Even today, when you attempt to move a user with a privileged PrimaryGroupID out of the group the ID represents, Active Directory will not allow you to do so. Similarly, a user who is not in a privileged group cannot have the PrimaryGroupID modified manually to be a privileged group’s ID.
The PrimaryGroupID attribute is not used much anymore, as newer technologies such as Identity Management for Unix (IdMU), Services for Network File System (NFS) and Services for Unix-based Applications (SUA) no longer need this attribute. Ideally, the value should be set to 513, which is the Domain Users group. The value cannot be blank, as Active Directory uses it to generate the initial group assignment during the user creation process, to make sure the user will receive a set of minimum permissions.
However, there are some attacks, such as DCShadow, which can alter the PrimaryGroupID attribute for a user to be 512 or 519, even though the user is not in one of the privileged groups. This attack, which does not create events in the log, is stealthy, persistent and difficult to detect.
Therefore, it is necessary to have a security solution that can detect when the PrimaryGroupID of users changes and when a DCShadow attack occurs. Tenable.ad is a solution that can continuously detect both of these attacks in real time, as you can see by the solution’s Indicators of Exposure shown in Figure 1.
Figure 1. Tenable.ad can detect both a DCShadow attack and modification of the PrimaryGroupID for users.
Being able to see different components of an attack in real time allows the security team to react with swift precision to stop adversaries in their tracks.
For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.
This blog post originally appeared on the Alsid website on July 14, 2020.
Related Articles
Cybersecurity Snapshot: CISA Shines Light on Cloud Security and on Hybrid IAM Systems’ Integration
March 15, 2024Check out CISA’s latest best practices for protecting cloud environments, and for securely integrating on-prem and cloud IAM systems. Plus, catch up on the ongoing Midnight Blizzard attack against Microsoft. And don’t miss the latest CIS Benchmarks. And much more!
Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft
February 1, 2024The latest breach suffered by Microsoft shows once again that detection and response are not enough. Because the source of an attack almost always boils down to a single overlooked user and permission, it’s critical for organizations to have strong preventive security.
Cybersecurity Snapshot: What’s in Store for 2024 in Cyberland? Check Out Tenable Experts’ Predictions for OT Security, AI, Cloud Security, IAM and more
December 29, 2023The new year is upon us, and so we ponder the question: What cybersecurity trends will shape 2024? To find out, we asked Tenable experts to read the tea leaves. Their 2024 forecasts include: A bigger security role for cloud architects; a focus by ransomware gangs on OT systems in critical industries; an intensification of IAM attacks; and much more!
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
September 26, 2024Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Establishing a Cloud Security Program: Best Practices and Lessons Learned
September 26, 2024As we’ve developed Tenable’s cloud security program, we in the Infosec team have asked many questions and faced interesting challenges. Along the way, we’ve learned valuable lessons and incorporated key best practices. In this blog, we’ll discuss how we’ve approached implementing our cloud security program using Tenable Cloud Security, and share recommendations that you may find helpful.
- Active Directory
- Active Directory