Adventures in Primary Group Behavior, Reporting, and Exploitation

This report analyzes abuse of Active Directory's primaryGroupID and associated DACL manipulation—demonstrating how attackers using tools like mimikatz, DCShadow, and DSInternals can set or hide privileged group membership (e.g., Domain Admins), how different AD tools inconsistently report membership, and how a deny DACL can make privileged memberships invisible; it concludes with detection queries and recommendations to audit primaryGroupID settings and validate monitoring tools.