Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Primary Group ID Attack in Active Directory: How to Defend Against Related Threats

Primary Group ID Attack in Active Directory: How to Defend Against Related Threats

The Primary Group ID in Active Directory, created to help manage access to sensitive resources, has become a critical vulnerability that attackers can exploit to escalate privileges without leaving a trace.

The Primary Group ID in Active Directory was originally developed to support the UNIX POSIX model and integration for controlling access to resources. Traditionally, the PrimaryGroupID attribute for a user needed to match the RID (or relative identifier) of the group with which the user must be associated. By default, all Active Directory users have a PrimaryGroupID of 513, which is associated with the Domain Users group.

However, if the user needed to be seen as a Domain Admin for POSIX, the PrimaryGroupID needed to be 512, the RID for that group. The Enterprise Admins group, 519, is also used to grant this level in POSIX.

The caveat is that Active Directory’s built-in management tools, the AD Users and Controls (ADUC), require users to have membership in the group used for the PrimaryGroupID, so a standard user could not be seen as a privileged user without actually being in the privileged group. Even today, when you attempt to move a user with a privileged PrimaryGroupID out of the group the ID represents, Active Directory will not allow you to do so. Similarly, a user who is not in a privileged group cannot have the PrimaryGroupID modified manually to be a privileged group’s ID.

The PrimaryGroupID attribute is not used much anymore, as newer technologies such as Identity Management for Unix (IdMU), Services for Network File System (NFS) and Services for Unix-based Applications (SUA) no longer need this attribute. Ideally, the value should be set to 513, which is the Domain Users group. The value cannot be blank, as Active Directory uses it to generate the initial group assignment during the user creation process, to make sure the user will receive a set of minimum permissions.

However, there are some attacks, such as DCShadow, which can alter the PrimaryGroupID attribute for a user to be 512 or 519, even though the user is not in one of the privileged groups. This attack, which does not create events in the log, is stealthy, persistent and difficult to detect. 

Therefore, it is necessary to have a security solution that can detect when the PrimaryGroupID of users changes and when a DCShadow attack occurs. Tenable.ad is a solution that can continuously detect both of these attacks in real time, as you can see by the solution’s Indicators of Exposure shown in Figure 1.

Indicators of Exposure in Tenable.ad

Figure 1. Tenable.ad can detect both a DCShadow attack and modification of the PrimaryGroupID for users.

Being able to see different components of an attack in real time allows the security team to react with swift precision to stop adversaries in their tracks.

For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.

This blog post originally appeared on the Alsid website on July 14, 2020.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training