RE: strange account in Win2k

From: dlaumannat_private
Date: Tue May 28 2002 - 15:36:52 PDT

Next message: Don Weber: "RE: Compromised Win2000 machine."

Previous message: Kit: "RE: strange account in Win2k"
Maybe in reply to: Mark Fagan: "strange account in Win2k"
Next in thread: Mark Fagan: "RE: strange account in Win2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

you can inspect the registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion \ProfileList\<SID> for perhaps more information,
specifically the key 'profileimagepath'.

this may be more info than you wanted but:
S-1-5-21-527237240-162531612-725345543-1008
s - indicates the value is a sid structure.
1 - indicates the revision level of the sid structure.
5 - indicates the authority that issued the sid where 5 refers to "nt"
possible values are:
 null sid	0	S-1-0
 world sid	1	S-1-1
 local sid	2	S-1-2
 creator sid	3	S-1-3
 non unique	4	S-1-4
 nt		5	S-1-5
21 - indicates the sub authority domain identifier of the sid where 21
refers to nt (non unique).
possible values are:
 dialup		1	S-1-5-1
 network	2	S-1-5-2
 batch		3	S-1-5-3
 interactive	4	S-1-5-4
 logon ids	5	S-1-5-5
 service	6	S-1-5-6
 anonymous	7	S-1-5-7
 proxy		8	S-1-5-8
 enterprise	9	S-1-5-9
 principal self	10	S-1-5-10
 authenticated  11	S-1-5-11
 restricted	12	S-1-5-12
 terminal serv	13	S-1-5-13
 local sys	18	S-1-5-18
 ntnonuniq	21	S-1-5-21
 builtindomain	32	S-1-5-32
527237240-162531612-725345543 - the 3 32 bit values comprise up the machine
id.
1008 - indicates relative id.

some well known sids are:
Built-In Users
DOMAINNAME\ADMINISTRATOR	S-1-5-21-527237240-162531612-725345543-500
DOMAINNAME\GUEST
S-1-5-21-527237240-162531612-725345543-501

Built-In Global Groups
DOMAINNAME\DOMAIN ADMINS	S-1-5-21-527237240-162531612-725345543-512
DOMAINNAME\DOMAIN USERS	S-1-5-21-527237240-162531612-725345543-513
DOMAINNAME\DOMAIN GUESTS	S-1-5-21-527237240-162531612-725345543-514

Built-In Local Groups
BUILTIN\ADMINISTRATORS		S-1-5-32-544
BUILTIN\USERS				S-1-5-32-545
BUILTIN\GUESTS				S-1-5-32-546
BUILTIN\ACCOUNT OPERATORS	S-1-5-32-548
BUILTIN\SERVER OPERATORS		S-1-5-32-549
BUILTIN\PRINT OPERATORS		S-1-5-32-550
BUILTIN\BACKUP OPERATORS		S-1-5-32-551
BUILTIN\REPLICATOR			S-1-5-32-552

Special Groups
\CREATOR OWNER				S-1-3-0
\EVERYONE					S-1-1-0
NT AUTHORITY\NETWORK		S-1-5-2
NT AUTHORITY\INTERACTIVE		S-1-5-4
NT AUTHORITY\SYSTEM			S-1-5-18
NT AUTHORITY\authenticated users	S-1-5-11

> While setting additional privileges on a Win2k web server  I 
> noticed that
> certain privileges (logon as batch job, act as part of o/s, 
> logon locally
> and network) were applied to a very strange account -
> *S-1-5-21-527237240-162531612-725345543-1008 which is not 
> seen as a user
> account. Any ideas folks ?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Don Weber: "RE: Compromised Win2000 machine."
Previous message: Kit: "RE: strange account in Win2k"
Maybe in reply to: Mark Fagan: "strange account in Win2k"
Next in thread: Mark Fagan: "RE: strange account in Win2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 28 2002 - 15:56:17 PDT