Computer$ in Domain Admins

The other day I came across a situation I have not seen before. One of the guys I work with gained access to a Windows 2008 box that was joined to a domain. The LSA secrets did not reveal anything useful, no domain users were currently logged on, and password reuse wasn’t the case here. However, and this is the interesting part, it turned out that the computer itself was part of the “Domain Admins” group. A quick migrate to a system process and “net user /add /domain” worked! Domain compromised and I am now looking into reasons for adding a host to administrative groups. I imagine it must be some lazy fix…

Constructive Feedback

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s