๐ Secure Bits ๐ก
Did you know you can ๐ต๐ถ๐ฑ๐ฒ ๐ถ๐ป ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐โ๐ฒ๐๐ฒ๐ป ๐ณ๐ฟ๐ผ๐บ ๐๐ผ๐บ๐ฎ๐ถ๐ป ๐๐ฑ๐บ๐ถ๐ป๐?
Itโs surprisingly easy to make an account nearly invisible, and most administrators wouldnโt even notice. Hereโs how:
1๏ธโฃ ๐ ๐ฎ๐ธ๐ฒ ๐๐ต๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐ ๐๐ป๐๐ฒ๐ฎ๐ฟ๐ฐ๐ต๐ฎ๐ฏ๐น๐ฒ
Apply a Deny Full Control ACL for “Everyone” on the target accountโthis prevents anyone from seeing or modifying it.
2๏ธโฃ ๐ฃ๐ฟ๐ฒ๐๐ฒ๐ป๐ ๐ด๐ฟ๐ผ๐๐ฝ ๐บ๐ฒ๐บ๐ฏ๐ฒ๐ฟ๐๐ต๐ถ๐ฝ ๐ณ๐ฟ๐ผ๐บ ๐ฏ๐ฒ๐ถ๐ป๐ด ๐๐ถ๐๐ถ๐ฏ๐น๐ฒ
Even if an account is hidden, its group membership might still be exposed.
๐ Use the Primary Group feature instead of traditional group memberships. Since the primary group is stored in the accountโs attributes, it wonโt show up in standard group lookupsโif combined with Deny ACLs, it becomes almost invisible.
3๏ธโฃ ๐๐ถ๐ฑ๐ฒ ๐๐ต๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐ ๐ถ๐ป ๐๐ป๐ฒ๐
๐ฝ๐ฒ๐ฐ๐๐ฒ๐ฑ ๐น๐ผ๐ฐ๐ฎ๐๐ถ๐ผ๐ป๐
Place it in a misleading Organizational Unit (OU), ideally one only visible in Advanced Mode. Apply Deny List Content ACLs on the final OU to obscure it further.
๐๐ผ๐ฒ๐ ๐ถ๐ ๐ฎ๐น๐๐ฎ๐๐ ๐๐ผ๐ฟ๐ธ?
Not for officially privileged groupsโAdminSDHolder protection kicks in for accounts in groups like Domain Admins (I wrote posts about this).
๐๐ฎ๐ป ๐ถ๐ ๐๐๐ถ๐น๐น ๐ฏ๐ฒ ๐ฑ๐ฒ๐๐ฒ๐ฐ๐๐ฒ๐ฑ?
Yes, you should monitor for:
โ Primary group changes
โ Suspicious ACL modifications (especially Deny)
โ AD object-level changes (Event logs)
Also SAM-R protocol can be used for enumeration (depending on configuration).
๐ก ๐ง๐ต๐ถ๐ ๐ถ๐ ๐๐ต๐ ๐๐ฐ๐ฎ๐ป๐ป๐ถ๐ป๐ด ๐๐ ๐ฟ๐ฒ๐ด๐๐น๐ฎ๐ฟ๐น๐ ๐ณ๐ผ๐ฟ ๐บ๐ถ๐๐ฐ๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐ ๐ถ๐ ๐ฐ๐ฟ๐๐ฐ๐ถ๐ฎ๐น. My AD Probe tool helps uncover hidden accounts like this:
https://horizon-secured.com/tools/
Have you checked your environment for this? Letโs discuss ๐
