Abuse Info
Guest Account (RID -501)- The Guest user account allows users without a personal account to log in. The account has no password by default.
- If enabled, anyone with AD access can log in with the Guest account.
- Any user or computer accessing a Windows system via a network has the Network identity in their access token.
- Included in access tokens when an account is authenticated directly against a domain controller and not through Kerberos constrained delegation (service asserted identity).
- Included in access tokens when authentication is based on public key credentials via key trust objects.
- Anyone with key trust credentials (e.g., from a Shadow Credentials attack) can obtain Key Trust identity access through PKINIT authentication.
- Similar to Key Trust but requires the MFA property on the key trust credentials.
- A Shadow Credentials attack enables anyone to obtain the MFA Key Property identity access through PKINIT authentication.
- Included in an access token when authentication occurs via NTLM protocol.
- Any AD account can obtain NTLM authentication identity access, assuming NTLM is available.
- Included in an access token when authentication occurs via Schannel protocol.
- Any AD account can obtain the Schannel Authentication identity, for example by performing certificate authentication over Schannel.
- Assigned to all accounts within the same Active Directory forest and trusted forests without selective authentication.
- Assigned to all accounts within the same Active Directory forest and trusted forests without selective authentication, when the Kerberos PAC contains an NTLM_SUPPLEMENTAL_CREDENTIAL structure.
- Authentication using an ADCS certificate ensures the required PAC structure.