Los grupos en AD, especialmente los grupos con privilegios, son un objetivo principal para los atacantes porque proporcionan acceso a recursos.
Vulnerabilidades posibles:
Grupos con privilegios que contienen demasiados miembros.
Grupos que no deberían existir (por ejemplo, restos de pruebas o configuraciones antiguas).
Grupos anidados que pueden ser explotados para elevar privilegios de forma indirecta.
PS C:\v> Get-NetGroup | select samaccountname, admincount, description
samaccountname admincount description
-------------- ---------- -----------
Administrators 1 Administrators have complete and unrestricted access to the compu...
Users Users are prevented from making accidental or intentional system-...
Guests Guests have the same access as members of the Users group by defa...
Print Operators 1 Members can administer printers installed on domain controllers
Backup Operators 1 Backup Operators can override security restrictions for the sole ...
Replicator 1 Supports file replication in a domain
Remote Desktop Users Members in this group are granted the right to logon remotely
Network Configuration Operators Members in this group can have some administrative privileges to ...
Performance Monitor Users Members of this group can access performance counter data locally...
Performance Log Users Members of this group may schedule logging of performance counter...
Distributed COM Users Members are allowed to launch, activate and use Distributed COM o...
IIS_IUSRS Built-in group used by Internet Information Services.
Cryptographic Operators Members are authorized to perform cryptographic operations.
Event Log Readers Members of this group can read event logs from local machine
Certificate Service DCOM Access Members of this group are allowed to connect to Certification Aut...
RDS Remote Access Servers Servers in this group enable users of RemoteApp programs and pers...
RDS Endpoint Servers Servers in this group run virtual machines and host sessions wher...
RDS Management Servers Servers in this group can perform routine administrative actions ...
Hyper-V Administrators Members of this group have complete and unrestricted access to al...
Access Control Assistance Operators Members of this group can remotely query authorization attributes...
Remote Management Users Members of this group can access WMI resources over management pr...
Storage Replica Administrators Members of this group have complete and unrestricted access to al...
Domain Computers All workstations and servers joined to the domain
Domain Controllers 1 All domain controllers in the domain
Schema Admins 1 Designated administrators of the schema
Enterprise Admins 1 Designated administrators of the enterprise
Cert Publishers Members of this group are permitted to publish certificates to th...
Domain Admins 1 Designated administrators of the domain
Domain Users All domain users
Domain Guests All domain guests
Group Policy Creator Owners Members in this group can modify group policy for the domain
RAS and IAS Servers Servers in this group can access remote access properties of users
Server Operators 1 Members can administer domain servers
Account Operators 1 Members can administer domain user and group accounts
Pre-Windows 2000 Compatible Access A backward compatibility group which allows read access on all us...
Incoming Forest Trust Builders Members of this group can create incoming, one-way trusts to this...
Windows Authorization Access Group Members of this group have access to the computed tokenGroupsGlob...
Terminal Server License Servers Members of this group can update user accounts in Active Director...
Allowed RODC Password Replication Group Members in this group can have their passwords replicated to all ...
Denied RODC Password Replication Group Members in this group cannot have their passwords replicated to a...
Read-only Domain Controllers 1 Members of this group are Read-Only Domain Controllers in the domain
Enterprise Read-only Domain Controllers Members of this group are Read-Only Domain Controllers in the ent...
Cloneable Domain Controllers Members of this group that are domain controllers may be cloned.
Protected Users Members of this group are afforded additional protections against...
Key Admins 1 Members of this group can perform administrative actions on key o...
Enterprise Key Admins 1 Members of this group can perform administrative actions on key o...
DnsAdmins DNS Administrators Group
DnsUpdateProxy DNS clients who are permitted to perform dynamic updates on behal...
Grupos relevantes en AD:
Administradores del Dominio (Domain Admins): Miembros de este grupo tienen permisos completos y de control total en el dominio. Es el grupo más poderoso y es el objetivo principal para muchos atacantes.
Administradores de la Empresa (Enterprise Admins): Estos administradores tienen permisos en todos los dominios de un bosque. Si una organización tiene múltiples dominios, este grupo es aún más poderoso que "Domain Admins".
Administradores de Esquema (Schema Admins): Los miembros de este grupo pueden modificar el esquema del AD, que es la estructura subyacente que define objetos y atributos.
Usuarios del Dominio (Domain Users): Este grupo incluye todas las cuentas de usuario en un dominio. A menudo se verifica para identificar posibles cuentas huérfanas o no utilizadas.
Computadoras del Dominio (Domain Computers): Este grupo incluye todas las estaciones de trabajo y servidores unidos al dominio.
Controladores de Dominio (Domain Controllers): Este grupo incluye todos los controladores de dominio en un dominio. Es esencial garantizar que sólo las máquinas confiables sean parte de este grupo.
Política de replicación de lectura (Read-Only Domain Controllers - RODC): Si la organización utiliza RODCs, es esencial garantizar que estén configurados correctamente.
