AdminSDHolder Modification

How to detect, prevent, and mitigate AdminSDHolder attacks

Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ AdminSDHolder Modification

STEALTHbits’ products provide a multitude of ways to detect, prevent, and mitigate the AdminSDHolder Modification attack.

Detect AdminSDHolder Modification Attack

Detection of AdminSDHolder is straightforward and involves monitoring for changes to the Access Control List for this container.

APPROACH

Permission Change Detection

DESCRIPTION

Monitor for changes to the ACL of the AdminSDHolder container ("CN=AdminSDHolder,CN=System,DC=domain,DC=com,") in all domains.

PRODUCT: StealthDEFEND

Prevent AdminSDHolder Attack

Using blocking policies can prevent even administrative accounts from modifying the ACL of the AdminSDHolder container, ensuring this cannot be used for a persistence technique by an attacker.

APPROACH

Permission Change Blocking

DESCRIPTION

Block all changes to the ACL of the AdminSDHolder container ("CN=AdminSDHolder,CN=System,DC=domain,DC=com,") in all domains.

PRODUCT: StealthINTERCEPT

DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

Download

Mitigate AdminSDHolder Attack

In addition to monitoring for changes and blocking them going forward, it is best to perform an initial review and cleanup of the AdminSDHolder rights to ensure no inappropriate Access Control Entries exist.

APPROACH

Permission Clean Up

DESCRIPTION

Report on the AdminSDHolder permissions and clean up any inappropriate permissions that do not belong.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x