Both Windows and Active Directory ship with a number of default accounts. They cannot be deleted, and have fixed privileges that cannot be removed. Some are disabled by default, but can be enabled. All default accounts have a fixed relative ID (RID) that cannot be changed, even if the account name is changed. This makes them immediately identifiable. Even low-level accounts can be dangerous, because they provide access to the system and can have their privilege escalated. The following table summarizes common ways to exploit default Windows accounts.

Account

Description

Exploit

Guest

  • Does not require a password
  • Has limited user-level access
  • Disabled by default
  • Has the RID of 501

Administrator

  • Can perform any action on a system
  • Cannot be locked out
  • Has the RID of 500
  • Use Meterpreter getsystem command to elevate to SYSTEM privilege

krbtgt

  • Encrypts and digitally signs all Kerberos tickets
  • Has the RID of 502
  • Use a tool such as Mimikatz, Meterpreter hashdump, ntdsutil, or Metasploit DCSync to dump account password hash
  • Use dumped hash in Metasploit module or Kiwi plugin to create an unauthorized Golden ticket for access to Active Directory:
  • kerberost_ticket_use
  • golden_ticket_create
  • post/windows/escalate/golden_ticket

Note: For more information on creating Golden tickets, see https://pentestlab.blog/tag/krbtgt, https://pentestlab.blog/2018/04/09/golden-ticket.

DefaultAccount

  • Added in Windows 10, Server 2016
  • Has the RID of 503
  • Managed by SYSTEM
  • Can be added to any user group, including administrators
  • Can have its password changed

WDAGUtilityAccount

  • Used by Windows Defender Application Guard
  • Has the RID of 504
  • Can be added to any user group, including administrators
  • Can have its password changed

defaultuser0

  • Created during Windows 10 installation before any user accounts are created
  • Has the RID of 100x (dependent on install)
  • Can be added to any user group including administrators
  • Can have its password changed
Windows Account Manipulation

Accounts (including Guest and DefaultAccount) can be manipulated using the net user and net localgroup commands. Here are some examples. You will need administrator or SYSTEM level privilege to run some of these commands.

To Do This Action:

Run This Command:

List all users

net user

See information about guest

net user guest

Search the status of guest to determine if it's active (enabled) or not

net user guest | findstr /C:"active"

Activate (enable) guest

net user guest /active:yes

Set/change the guest password to Pa22w0rd

net user guest Pa22w0rd

Add guest to the local administrators group

net localgroup administrators /add guest

View the SID of each account

wmic useraccount get name,sid

Note: For information about default accounts/groups and their SID numbers, see https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems