Primary Group ID attack
The Primary Group ID was used to support the UNIX POSIX model and integration for controlling access to resources. In Active Directory, the PrimaryGroupID attribute for a user needed to be the RID (relative identifier) of the group with which the user must be associated. By default, all Active Directory users have a PrimaryGroupID of 513, which is associated with the Domain Users group.
However, if the user needed to be seen as a Domain Admin for POSIX, the PrimaryGroupID needed to be 512, the RID for that group. The Enterprise Admins group, 519, is also used to grant this level in POSIX.
The caveat is that the AD management tools (ADUC) require that they have membership in the group that is used for the PrimaryGroupID, so that a standard user could not be seen as a privileged user without actually being in the privileged group. Even today when you attempt to move a user with a privileged group PrimaryGroupID out of the group the ID represents, it will not allow you to do so. Similarly, a user that is not in a privileged group cannot have the PrimaryGroupID modified manually to be a privileged group’s ID.
This attribute is not used much, as newer technologies such as Identity Management for Unix (IdMU), Services for NFS, and Services for Unix-based Applications (SUA) no longer need this attribute. Ideally, the value should be set to 513, which is the Domain Users group. The value cannot be blank, as AD uses it to generate the first group of the user during the user creation to make sure the user will receive a set of minimum permissions.
However, there are some attacks, such as DCShadow, which can alter the PrimaryGroupID attribute for a user to be 512 or 519, even though the user is not in one of the privileged groups. (See https://blog.alsid.eu/dcshadow-explained-4510f52fc19d for more info on DCShadow attacks.) This attack, which does not create events in the log, is stealthy, persistent, and difficult to detect.
Therefore, it is necessary to have a security solution that can detect when the PrimaryGroupID of users changes and when a DCShadow attack occurs. Alsid is one such solution which can detect both of these attacks in real time, as you can see by the solution’s Indicators of Exposure shown in Figure 1.
Being able to see different components of an attack in real time allows the security team to react with swift precision to stop this attack.