312-50V10 · Question #645
What did the following commands determine?
The correct answer is D. That the true administrator is Joe. Using USER2SID and SID2USER together, an attacker can determine which account is the true built-in Administrator by identifying the account whose SID ends in the well-known RID of 500.
Question
What did the following commands determine?
Options
- AThat the Joe account has a SID of 500
- BThese commands demonstrate that the guest account has NOT been disabled
- CThese commands demonstrate that the guest account has been disabled
- DThat the true administrator is Joe
- EIssued alone, these commands prove nothing
How the community answered
(49 responses)- A4% (2)
- B8% (4)
- C2% (1)
- D71% (35)
- E14% (7)
Why each option
Using USER2SID and SID2USER together, an attacker can determine which account is the true built-in Administrator by identifying the account whose SID ends in the well-known RID of 500.
While Joe's SID does end in 500, the answer 'Joe has a SID of 500' understates the finding - the forensic significance is that SID-500 reveals Joe is the renamed Administrator, not merely a fact about Joe's identifier.
The SID enumeration commands shown query username-to-SID mappings and do not inspect or report the enabled or disabled status of the Guest account.
These commands perform SID-to-username and username-to-SID lookups and provide no information about whether the Guest account is enabled or disabled.
The commands shown use USER2SID to retrieve Joe's SID and reveal it ends in -500, which Windows permanently assigns to the built-in Administrator account regardless of any renaming. This conclusively identifies Joe as the renamed Administrator, exposing the true privileged account that an attacker would target.
The commands together yield a definitive conclusion - SID 500 is a permanent, immutable marker for the built-in Administrator, so the finding is not ambiguous or inconclusive.
Concept tested: SID 500 built-in administrator account identification
Source: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
Topics
Community Discussion
No community discussion yet for this question.