Active Directory (AD) is a gold mine for attackers and compromising it gives you full control of an organization's employee directory, related privileges, and integrated applications with authentication. Unfortunately, the operational dependency on AD without adequate monitoring and process for creating users or delegating privileges has made the AD an asset that is too big to fail.
Five years ago Microsoft stated that more than 95 million AD accounts come under attack every day, and worked on ramping up their identity and security efforts.
What is the AdminSDHolder Attack?
AdminSDHolder is a container that exists in each Active Directory domain. Its distinguished name is CN=AdminSDHolder,CN=System,DC=domain,DC=com where DC=domain,DC=com is the name of your Active Directory domain.
The object AdminSDHolder along with a process namely, Security Descriptor propagator (SDProp) is responsible to secure privileged users and groups. The AdminSDHolder object has a unique Access Control List (ACL) which controls the permissions of security principals that are members of built-in privileged AD groups.
Security Descriptor Propagator is the process used by each Active Directory domain to identify manual modifications to the owner, ACLs or inheritance is applied on protected groups replacing them with the ones defined on AdminSDHolder container. This background process runs, by default, every sixty (60) minutes on the Domain Controller holding PDC Emulator FSMO role in an Active Directory domain.
The default frequency for running the Security Descriptor Propagator process could be changed by creating a REG_DWORD registry entry and setting the new frequency value in seconds using a Decimal value (Example: 1200 means that the frequency is twenty (20) minutes). The registry entry should be created under HKEY_LOCAL_MACHINE\SYSioooooooo=1TEM\CurrentControlSet\Services\NTDS\Parameters on the Domain Controller holding PDC Emulator FSMO role.
To enable lateral movement, attackers can add accounts to the AdminSDHolder, granting them the same privileged access as other protected accounts.
How to detect it?
1. Monitor changes to the AdminSDHolder container/object ACL. In a normal environment, changes to this object should be rare and follow the change control process. Frequent changes or even attempts to change is an indicator enough to raise an alert for investigation.
Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes. To identify changes to the AdminSDHolder container ACL, monitor events that match the ObjectDN “CN=AdminSDHolder,DC=System” and the AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.
The following XPath filter can be used in the Windows Event Viewer to detect modifications to the AdminSDHolder container ACL:
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=5136)]]and*[EventData[Data[@Name='ObjectDN'] and (Data='CN=AdminSDHolder,CN=System,DC=YourDomain,DC=com')]]and*[EventData[Data[@Name='AttributeLDAPDisplayName'] and (Data='nTSecurityDescriptor')]]</Select></Query></QueryList>
Once you find a matching event, the AttributeValue can be decoded from its native SDDL format to human-readable format using PowerShell's ConvertFrom-SddlString cmdlet.
$ACL = ConvertFrom-SddlString -Sddl "O:DAG:DAD:PAI(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1127)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-5840559-2756745051-1363507867-1129)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;CI;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;LCRPRC;;;S-1-5-21-5840559-2756745051-1363507867-4102)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1127)(A;;RPWP;;;S-1-5-21-5840559-2756745051-1363507867-1129)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;S-1-5-21-5840559-2756745051-1363507867-519)(A;;LCRPLORC;;;RU)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:AI(AU;SA;WPWDWO;;;WD)(OU;CIIOIDSA;LCRPRC;;bf967aae-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;CR;89e95b76-444d-4c62-991a-0facbeda640c;;DU)(OU;CIIDSA;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIDSA;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DU)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;CIIDSA;LCRPWPRC;;;DU)"$ACL.DiscretionaryACL# --- Output Truncated --- #Domain\BobT: AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)# --- Output Truncated --- #
Event ID 4780 needs to be monitored as well - an ideal way should be to monitor the modifications to the object in the above step and profile the users and/or host machines triggering EventID 4780.
Conclusion
In order to detect such attacks, it's important to build a basic detection workbook and couple it with an outlier detection module/profiling. Here are a few simple steps that can help:
- Create a profile or define baselines for the “Object Modification” activity per user.
- Baseline the “Object Accessed” activity per user and host.
- Validate / Flag user anomalies that are not part of Admin or object modification user groups.
