Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Primary Group ID Attack in Active Directory: How to Defend Against Related Threats

Primary Group ID Attack in Active Directory: How to Defend Against Related Threats

The Primary Group ID in Active Directory, created to help manage access to sensitive resources, has become a critical vulnerability that attackers can exploit to escalate privileges without leaving a trace.

The Primary Group ID in Active Directory was originally developed to support the UNIX POSIX model and integration for controlling access to resources. Traditionally, the PrimaryGroupID attribute for a user needed to match the RID (or relative identifier) of the group with which the user must be associated. By default, all Active Directory users have a PrimaryGroupID of 513, which is associated with the Domain Users group.

However, if the user needed to be seen as a Domain Admin for POSIX, the PrimaryGroupID needed to be 512, the RID for that group. The Enterprise Admins group, 519, is also used to grant this level in POSIX.

The caveat is that Active Directory’s built-in management tools, the AD Users and Controls (ADUC), require users to have membership in the group used for the PrimaryGroupID, so a standard user could not be seen as a privileged user without actually being in the privileged group. Even today, when you attempt to move a user with a privileged PrimaryGroupID out of the group the ID represents, Active Directory will not allow you to do so. Similarly, a user who is not in a privileged group cannot have the PrimaryGroupID modified manually to be a privileged group’s ID.

The PrimaryGroupID attribute is not used much anymore, as newer technologies such as Identity Management for Unix (IdMU), Services for Network File System (NFS) and Services for Unix-based Applications (SUA) no longer need this attribute. Ideally, the value should be set to 513, which is the Domain Users group. The value cannot be blank, as Active Directory uses it to generate the initial group assignment during the user creation process, to make sure the user will receive a set of minimum permissions.

However, there are some attacks, such as DCShadow, which can alter the PrimaryGroupID attribute for a user to be 512 or 519, even though the user is not in one of the privileged groups. This attack, which does not create events in the log, is stealthy, persistent and difficult to detect. 

Therefore, it is necessary to have a security solution that can detect when the PrimaryGroupID of users changes and when a DCShadow attack occurs. Tenable.ad is a solution that can continuously detect both of these attacks in real time, as you can see by the solution’s Indicators of Exposure shown in Figure 1.

Indicators of Exposure in Tenable.ad

Figure 1. Tenable.ad can detect both a DCShadow attack and modification of the PrimaryGroupID for users.

Being able to see different components of an attack in real time allows the security team to react with swift precision to stop adversaries in their tracks.

For more information on this topic and strategies for strengthening your Active Directory security, visit our Tenable.ad product page.

This blog post originally appeared on the Alsid website on July 14, 2020.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.