Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE

AdminSDHolder Modification

How to detect, prevent, and mitigate AdminSDHolder attacks

Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.

    Request A Free Trial

    Thank You For Your Request

    A Stealthbits representative will contact you shortly.

    If you have any questions, you can contact our sales department by sending an inquiry to sales@stealthbits.com.


    Stealthbits’ AdminSDHolder Modification

    Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate the AdminSDHolder Modification attack.

    Detect AdminSDHolder Modification Attack

    Detection of AdminSDHolder is straightforward and involves monitoring for changes to the Access Control List for this container.

    APPROACH

    Permission Change Detection

    DESCRIPTION

    Monitor for changes to the ACL of the AdminSDHolder container (“CN=AdminSDHolder,CN=System,DC=domain,DC=com,”) in all domains.

    PRODUCT: StealthDEFEND

    Prevent AdminSDHolder Attack

    Using blocking policies can prevent even administrative accounts from modifying the ACL of the AdminSDHolder container, ensuring this cannot be used for a persistence technique by an attacker.

    APPROACH

    Permission Change Blocking

    DESCRIPTION

    Block all changes to the ACL of the AdminSDHolder container (“CN=AdminSDHolder,CN=System,DC=domain,DC=com,”) in all domains.

    PRODUCT: StealthINTERCEPT

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Mitigate AdminSDHolder Attack

    In addition to monitoring for changes and blocking them going forward, it is best to perform an initial review and cleanup of the AdminSDHolder rights to ensure no inappropriate Access Control Entries exist.

    APPROACH

    Permission Clean Up

    DESCRIPTION

    Report on the AdminSDHolder permissions and clean up any inappropriate permissions that do not belong.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    © 2021 Stealthbits Technologies, Inc.