STEALTHbits’ products provide a multitude of ways to detect, prevent, and mitigate the AdminSDHolder Modification attack.
Detection of AdminSDHolder is straightforward and involves monitoring for changes to the Access Control List for this container.
Permission Change Detection
Monitor for changes to the ACL of the AdminSDHolder container ("CN=AdminSDHolder,CN=System,DC=domain,DC=com,") in all domains.
Using blocking policies can prevent even administrative accounts from modifying the ACL of the AdminSDHolder container, ensuring this cannot be used for a persistence technique by an attacker.
Permission Change Blocking
Block all changes to the ACL of the AdminSDHolder container ("CN=AdminSDHolder,CN=System,DC=domain,DC=com,") in all domains.
In addition to monitoring for changes and blocking them going forward, it is best to perform an initial review and cleanup of the AdminSDHolder rights to ensure no inappropriate Access Control Entries exist.
Permission Clean Up
Report on the AdminSDHolder permissions and clean up any inappropriate permissions that do not belong.