0x00 Introduction
---
AdminSDHolder is a special AD container with some default security permissions, serving as a template for protected AD accounts and groups
Active Directory adopts the ACL of the AdminSDHolder object and periodically applies it to all protected AD accounts and groups to prevent accidental and unintentional modifications and ensure secure access to these objects
If the ACL of the AdminSDHolder object can be modified, the altered permissions will automatically apply to all protected AD accounts and groups, which can serve as a method for maintaining domain environment privileges
This article will reference publicly available materials, combine personal understanding, introduce exploitation methods, supplement methods for clearing ACLs, and analyze detection methods
0x01 Overview
---
This article will cover the following topics:
- Exploitation approach
- How to enumerate information in protected AD accounts and groups
- How to query the ACL of the AdminSDHolder object
- How to add ACLs to the AdminSDHolder object
- How to remove ACLs for specified users in AdminSDHolder
- Complete exploitation method
- Detection recommendations
0x02 Exploitation approach
---
1. Enumerate information from protected AD accounts and groups
Typically high-privilege users within the domain, including the following groups in my Server 2008 R2:
- Administrators
- Print Operators
- Backup Operators
- Replicator
- Domain Controllers
- Schema Admins
- Enterprise Admins
- Domain Admins
- Server Operators
- Account Operators
- Read-only Domain Controllers
- Organization Management
- Exchange Trusted Subsystem
2. Add ACL to AdminSDHolder object
For example, adding full management permissions for user testa to AdminSDHolder. The permission configuration information is automatically pushed after 60 minutes by default, and testa then gains full management permissions for all protected accounts and groups.
3. Gain control over the entire domain
At this point, user testa can add accounts to the domain administrator group and directly access files on the domain controller.
0x03 Enumerate information in protected AD accounts and groups
---
Reference materials about AdminSDHolder:
https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)#id0250006
The characteristics of protected AD accounts and groups are as follows:
AdminCount attribute is 1
However, if an object has been moved out of a protected group, its AdminCount attribute remains 1, meaning it is possible to obtain accounts and groups that were once protected.
1. Methods for enumerating protected AD accounts
(1) PowerView
Download link:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Command as follows:
Get-NetUser -AdminCount |
Command to filter only usernames as follows:
Get-NetUser -AdminCount | select samaccountname |
(2) Adfind
Download link:
http://www.joeware.net/freetools/tools/adfind/index.htm
Command as follows:
Adfind.exe -f "&(objectcategory=person)(samaccountname=*)(admincount=1)" -dn |
(3) ActiveDirectory module
PowerShell module, requires installation, generally installed on domain controllers
The commands are as follows:
Import-Module ActiveDirectory |
For systems without the Active Directory module installed, you can import the Active Directory module using the following command:
import-module .\Microsoft.ActiveDirectory.Management.dll |
Microsoft.ActiveDirectory.Management.dll is generated after installing the PowerShell Active Directory module. I have extracted it and uploaded it to GitHub:
An open-source project
Note:
This command lists protected AD accounts and groups
2. Methods for enumerating protected AD groups
(1) PowerView
The command is as follows:
Get-NetGroup -AdminCount |
(2) Adfind
The command is as follows:
Adfind.exe -f "&(objectcategory=group)(admincount=1)" -dn |
(3) ActiveDirectory Module
A PowerShell module that requires installation, typically installed on domain controllers
Commands are as follows:
Import-Module ActiveDirectory |
Note:
This command lists protected AD accounts and groups
0x04 Manipulating ACLs of AdminSDHolder Objects
---
1. Query ACLs of AdminSDHolder Objects
Using PowerView, address as follows:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Note:
This version does not support the Remove-DomainObjectAcl command
Querying the ACL of the AdminSDHolder object is equivalent to querying the ACL of "CN=AdminSDHolder,CN=System,DC=test,DC=com"
The command is as follows:
Import-Module .\PowerView.ps1 |
2. Adding ACL to the AdminSDHolder object
Using PowerView, the address is as follows:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Add full access permissions for user testa, the command is as follows:
Import-Module .\PowerView.ps1 |
By default, after waiting 60 minutes, testa gains full access to all protected AD accounts and groups
3. Removing ACL for a specified user in AdminSDHolder
Using PowerView, the address is as follows:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Note:
This version supports the Remove-DomainObjectAcl command but does not support the TargetADSprefix parameter, so the TargetSearchBase parameter is used here instead.
The search condition is "LDAP://CN=AdminSDHolder,CN=System,DC=test,DC=com".
To remove full access permissions for user testa, the command is as follows:
Remove-DomainObjectAcl -TargetSearchBase "LDAP://CN=AdminSDHolder,CN=System,DC=test,DC=com" -PrincipalIdentity testa -Rights All -Verbose |
0x05 Complete Exploitation Approach
---
1. Enumerate information from protected AD accounts and groups
Identify valuable users, confirm whether they belong to protected AD accounts and groups, and exclude those who previously belonged to protected AD accounts and groups.
2. Add ACLs to the AdminSDHolder object
For example, add full access permissions for user testa to AdminSDHolder.
By default, after waiting 60 minutes, testa gains full access to all protected AD accounts and groups.
The interval for permission propagation can be adjusted by modifying the registry, with the registry location as follows:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters,AdminSDProtectFrequency,REG_DWORD
For example, to modify it to wait 600 seconds, the command is as follows:
reg add hklm\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v AdminSDProtectFrequency /t REG_DWORD /d 600 |
References:
https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/
Note:
It is not recommended to reduce the default interval time, as it may cause LSASS performance degradation in large environments
3. Gaining Full Control Over the Domain
(1) User testa can add accounts to the Domain Admins group
The command to verify permissions is as follows:
Import-Module .\PowerView.ps1 |
(2) User testa can directly access files on the domain controller
0x06 Detection and Cleanup
---
1. Detecting AdminSDHolder ACL
View the ACL of "CN=AdminSDHolder,CN=System,DC=test,DC=com" with the following command:
Import-Module .\PowerView.ps1 |
Note:
PowerView version used here:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Check for suspicious users
2. Clear suspicious user ACLs in AdminSDHolder
Remove suspicious user testa's ACL in AdminSDHolder
Using PowerView, address as follows:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Remove full access permissions for user testa, command as follows:
Remove-DomainObjectAcl -TargetSearchBase "LDAP://CN=AdminSDHolder,CN=System,DC=test,DC=com" -PrincipalIdentity testa -Rights All -Verbose |
0x07 Summary
---
This article introduces the exploitation method of AdminSDHolder for privilege persistence, supplementing detection and clearance methods for suspicious user ACLs in AdminSDHolder