How to detect, prevent, and mitigate AdminSDHolder attacks
Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.
Using blocking policies can prevent even administrative accounts from modifying the ACL of the AdminSDHolder container, ensuring this cannot be used for a persistence technique by an attacker.
APPROACH
Permission Change Blocking
DESCRIPTION
Block all changes to the ACL of the AdminSDHolder container (“CN=AdminSDHolder,CN=System,DC=domain,DC=com,”) in all domains.
In addition to monitoring for changes and blocking them going forward, it is best to perform an initial review and cleanup of the AdminSDHolder rights to ensure no inappropriate Access Control Entries exist.
APPROACH
Permission Clean Up
DESCRIPTION
Report on the AdminSDHolder permissions and clean up any inappropriate permissions that do not belong.