How to detect and respond to an AdminSDHolder attack using ADAudit Plus

How to detect and respond to an AdminSDHolder attack using ADAudit Plus

In this article:  

  • Objective

  • Prerequisites

  • Steps to follow

  • Validation and confirmation

  • Tips

  • Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect an AdminSDHolder attack, take the immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

  • You must have administrator access to the ADAudit Plus web console.

  • The audit policy needed to generate Event ID 5136 (A directory service object was modified) is DS Access → Audit Directory Service Changes, and it must be enabled. Reference document for enabling audit policy.

Steps to follow  

Step 1: Detecting the attack  

  1. Navigate to the Active Directory tab > Attack Surface Analyzer > Threats > AdminSDHolder.

  2. This report shows all detections related to a possible AdminSDHolder attack, where an attacker modifies the security template for protected accounts to gain persistent privileged access.

Step 2: Understanding the detection criteria  

ADAudit Plus detects a potential AdminSDHolder attack based on the following logic:

  • Description: An attacker abuses the SDProp process in AD to establish a persistent backdoor. They do this by adding a malicious permission to the AdminSDHolder container, which is then automatically applied to all protected accounts and groups (like Domain Admins).

  • Detection Logic:

    • Event code equals 5136 (A directory service object was modified).

    • Object Class equals container.

    • Operation Type equals Value Added.

    • Attribute LDAP Display Name equals nTSecurityDescriptor.

Step 3: Immediate remediation  

An unauthorized modification to AdminSDHolder is a critical security event that indicates an attacker has high-level privileges. Act immediately:

  1. Identify and remove the malicious permission: The event details in the report will show what permissions were added. You must immediately go to the AdminSDHolder object (located in the System container in Active Directory Users and Computers) and manually remove the unauthorized Access Control Entry (ACE).

  2. Disable the compromised account: The account used for the attack (Subject Account Name in the event) has Domain Admin-equivalent privileges. Disable it immediately for investigation.

  3. Force SDProp propagation (Optional): The Security Descriptor Propagator (SDProp) process runs automatically every 60 minutes by default. Once you have cleaned the permissions on the AdminSDHolder object, this process will automatically remove the malicious permission from all protected accounts and groups. You can also trigger it manually if required.

  4. Investigate the initial compromise: Determine how the attacker gained the privileges necessary to modify the AdminSDHolder object. This involves a broader forensic investigation into privileged account usage and potential vulnerabilities.

Validation and confirmation  

  • After remediation, the AdminSDHolder report in ADAudit Plus should no longer show new attacks.

  • After the SDProp process has run, inspect the security permissions of a few protected accounts (e.g., a member of Domain Admins) to confirm that the malicious ACE has been removed.

Tips  

The following best practices are critical for preventing AdminSDHolder abuse.

Principle of least privilege (PoLP)  

  • Restrict privileged access: Modifying the AdminSDHolder object requires highly privileged access (typically Domain Admins). Strictly limit membership in these groups and monitor them closely.

Secure privileged accounts  

  • Implement a tiered access model: Ensure your most critical assets (Tier 0), like domain controllers, are only managed by dedicated Tier 0 administrator accounts. These accounts must never be used to log into lower-tier systems.

  • Use just-in-time (JIT) access: Implement JIT access, eliminating standing privileges.

Monitoring and alerting  

  • Alert on all AdminSDHolder changes: The detection rule in ADAudit Plus is a critical control. Any modification to the nTSecurityDescriptor of the AdminSDHolder container should be treated as a high-priority security event.

  • Monitor privileged group membership: An attacker must first gain privileged access. Continuously monitor for and alert on any changes to groups like Domain Admins, Enterprise Admins, and Schema Admins.

Related topics and articles  

  • How to detect and respond to a Ransomware attack using ADAudit Plus 



      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products