Securing Active Directory: How to Prevent the SDProp and adminSDHolder Attack
Attackers can get into your Active Directory by leveraging the SDProp process and gaining privileges through the adminSDHolder object. Here's how to stop them.
Attackers use every possible trick and process they can to get into your Active Directory environment by moving laterally and gaining privileges. One such method is to leverage the Security Descriptor Propagation (SDProp) process and gain privileges through the adminSDHolder object.
The brief history of the SDProp process goes back to the early 2000s. Administrators were breaking what privileged groups could do in Active Directory when the access control list of the privileged group was changed in error. Microsoft fixed this by introducing the SDProp process, which used the adminSDHolder objects’ access control list (ACL) and the adminCount attribute of both users and groups.
The process works like this:
- Every 60 minutes, the SDProp process runs.
- The SDProp process copies the ACL from the adminSDHolder object, shown in Figure 1.
- The ACL from adminSDHolder is then pasted onto every user and group with an adminCount = 1, as you can see in Figure 2.
Figure 1. adminSDHolder object ACL.
Figure 2. Group with adminCount = 1.
You can see this process in action by looking at the replication trail flow between domain controllers (Figure 3).
Figure 3. SDProp process updates the ACL on all users and groups with adminCount = 1.
Attackers realized that if they add a rogue user or group to the adminSDHolder ACL, when the SDProp process ran, they would be added to every privileged user and group automatically. Even if the user or group was manually removed from the ACL of the privileged user or group, the SDProp process would add them back 60 minutes later.
Thus, it is necessary to constantly evaluate the adminSDHolder ACL and accounts that have an adminCount = 1 (but shouldn’t), as these are attack pathways into Active Directory.
Tenable.ad is constantly looking at these attack pathways and will send an alert when one opens. You can see this in the Indicators of Exposure (IoE) shown in Figure 4.
Figure 4. IoE clearly show attacks using the SDProp process and adminCount attribute.
Being able to see all aspects of an attack in real time enables the security team to react swiftly to prevent any further damage in Active Directory and safeguard the controls and information that users have access to.
For more information on this topic and strategies for strengthening your own Active Directory security, visit our Tenable.ad product page.
This blog post originally appeared on the Alsid website on July 14, 2020.
Related Articles
Cybersecurity Snapshot: CISA Shines Light on Cloud Security and on Hybrid IAM Systems’ Integration
March 15, 2024Check out CISA’s latest best practices for protecting cloud environments, and for securely integrating on-prem and cloud IAM systems. Plus, catch up on the ongoing Midnight Blizzard attack against Microsoft. And don’t miss the latest CIS Benchmarks. And much more!
Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft
February 1, 2024The latest breach suffered by Microsoft shows once again that detection and response are not enough. Because the source of an attack almost always boils down to a single overlooked user and permission, it’s critical for organizations to have strong preventive security.
Cybersecurity Snapshot: What’s in Store for 2024 in Cyberland? Check Out Tenable Experts’ Predictions for OT Security, AI, Cloud Security, IAM and more
December 29, 2023The new year is upon us, and so we ponder the question: What cybersecurity trends will shape 2024? To find out, we asked Tenable experts to read the tea leaves. Their 2024 forecasts include: A bigger security role for cloud architects; a focus by ransomware gangs on OT systems in critical industries; an intensification of IAM attacks; and much more!
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Active Directory