AdminSDHolder Modification

How to detect, prevent, and mitigate AdminSDHolder attacks

Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.

LEARN MORE ABOUT ADMINSDHOLDER MODIFICATION

    Request A Free Trial


    Stealthbits’ AdminSDHolder Modification

    Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate the AdminSDHolder Modification attack.

    Detect AdminSDHolder Modification Attack

    Detection of AdminSDHolder is straightforward and involves monitoring for changes to the Access Control List for this container.

    APPROACH

    Permission Change Detection

    DESCRIPTION

    Monitor for changes to the ACL of the AdminSDHolder container (“CN=AdminSDHolder,CN=System,DC=domain,DC=com,”) in all domains.

    PRODUCT: StealthDEFEND

    Prevent AdminSDHolder Attack

    Using blocking policies can prevent even administrative accounts from modifying the ACL of the AdminSDHolder container, ensuring this cannot be used for a persistence technique by an attacker.

    APPROACH

    Permission Change Blocking

    DESCRIPTION

    Block all changes to the ACL of the AdminSDHolder container (“CN=AdminSDHolder,CN=System,DC=domain,DC=com,”) in all domains.

    PRODUCT: StealthINTERCEPT

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    DOWNLOAD

    Mitigate AdminSDHolder Attack

    In addition to monitoring for changes and blocking them going forward, it is best to perform an initial review and cleanup of the AdminSDHolder rights to ensure no inappropriate Access Control Entries exist.

    APPROACH

    Permission Clean Up

    DESCRIPTION

    Report on the AdminSDHolder permissions and clean up any inappropriate permissions that do not belong.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    REQUEST A DEMO

    RESOURCES

    StealthAUDIT for Active Directory

    DATA SHEET

    LEARN MORE

    StealthDEFEND for Active Directory

    DATA SHEET

    LEARN MORE

    StealthINTERCEPT Enterprise Password Enforcer

    DATA SHEET

    LEARN MORE

    Free Risk Assessment

    Request a Trial

    Request a Demo

    Browse the Resource Library

    © 2022 Stealthbits Technologies, Inc.

    Privacy Policy