In this blog, we will be going through how the AdminSDHolder object in Active Directory can be used in Active Directory attacks. We will also go through what you can do to help defend against AdminSDHolder attacks and how LepideAuditor can help make this process easier.
What is an AdminSDHolder?
Essentially, the AdminSDHolder is an object in Active Directory that acts as a security descriptor template for protected accounts and groups in an Active Directory domain. In other words, the AdminSDHolder object enables users to manage access control lists of members of built-in privileged AD groups.
Security descriptors include information that determine the security of an object, including SID, DACL, SACL and more. A Process named SDProp, which runs every hour, is what sets these descriptor permissions to the members of this group.
There is a lot more information about what exactly an AdminSDHolder object is and how it works available online and from official Microsoft documentation. The above description is, however, more than enough to give you a basic understanding of why they are important. AdminSDHolder objects have a lot of control over what privileges are afforded to protected users and groups.
What is an AdminSDHolder Attack?
The general goal of an AdminSDHolder attack is to apply changes to the object, in many cases this means changes to the ACL. This can take many forms, but commonly an attacker may choose to add accounts to this list, giving them the same amount of privilege as other protected accounts and groups already in the AdminSDHolder object.
Organizations that are able to spot the signs of an AdminSDHolder attack can take steps to restrict the access for the account. However, if you were to do this, the SDProp would simply reverse those changes when the hour mark comes around by restoring the ACLs applied on that group. To make changes permanent, you would need to revoke ACL changes from the account from the AdminSDHolder object.
This can be a convoluted process and is often overlooked, which makes AdminSDHolder attacks a good option for attackers looking to gain access to sensitive data.
An AdminSDHolder Attack Visualized: Step-By-Step
It might be easier to picture how an AdminSDHolder Attack takes place by laying out the process step-by-step. There are usually four steps in an AdminSDHolder Attack:
- The attacker will get their hands on credentials that allows access to privileged data or systems (usually through social engineering, phishing or other common attack methods).
- The attacker then adds a new user to the Access Control List in AdminSDHolder.
- The new AdminSDHolder permissions are applied to protected objects every 60 minutes by default through the SDProp process.
- At this point the administrator may detect the over-privileged user or the change to the object and reverse it. However, in most cases the SDProp will re-apply the attacker’s permissions within an hour.
Defending Against an AdminSDHolder Attack
Detecting an AdminSDHolder attack is a relatively simple process if you have the right solution in place. As changes to the AdminSDHolder object are relatively rare, it’s easy to spot one in real time if you are using an Active Directory audit and security solution that allows you to report on changes to Active Directory objects. LepideAuditor for Active Directory, for example, can notify you on who made the change, what was changed and when.
Once the attack has been detected, then a full investigation and risk assessment needs to take place as to why the change has taken place and whether further action needs to be taken after removing the user from the ACL.