Detections
Analytics
User Primary Group
critical
Language:
Description
While groups are the usual ways of giving access to resources in an environment, another less-known but equally important Active Directory (AD) feature, Primary Group, can also give access to resources.
Primary Group ID (PGID) is a mechanism that Microsoft created to support legacy UNIX applications which store group memberships differently than Windows.
As such, being a member of a group or having a Primary Group set for this group works exactly in the same way in the AD.
Microsoft AD management software knows of this feature, but this is not the case for all external monitoring tools.
Therefore, using Primary Group is at least considered a bad practice, at worst a security risk to address.
Solution
Reset all user primaryGroupId attributes to a safe value.
See Also
Well-known security identifiers in Windows operating systems
Indicator Details
Name: User Primary Group
Codename: C-DANG-PRIMGROUPID
Severity: Critical
- Tactic: TA0004 - Privilege Escalation
- Techniques: T1078 - Valid Accounts
- Tactic: TA0003 - Persistence
- Techniques: T1098 - Account Manipulation
Attacker Known Tools
Gentil Kiwi: mimikatz - DCShadow