AdminSDHolder Backdoor

  1[metadata]
  2creation_date = "2022/01/31"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent
 11backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the
 12AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on
 13the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their
 14Administrative Privileges.
 15"""
 16from = "now-9m"
 17index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "AdminSDHolder Backdoor"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating AdminSDHolder Backdoor
 27
 28The AdminSDHolder object in Active Directory is crucial for maintaining consistent permissions across privileged accounts. It ensures that any changes to these accounts are reverted to match the AdminSDHolder's settings. Adversaries exploit this by modifying the AdminSDHolder to create persistent backdoors, regaining administrative privileges. The detection rule identifies such abuses by monitoring specific directory service changes, focusing on modifications to the AdminSDHolder object, thus alerting security teams to potential threats.
 29
 30### Possible investigation steps
 31
 32- Review the event logs for entries with event.code:5136 to identify specific changes made to the AdminSDHolder object.
 33- Examine the winlog.event_data.ObjectDN field to confirm the object path is CN=AdminSDHolder,CN=System* and verify the nature of the modifications.
 34- Identify the user account responsible for the changes by checking the event logs for the associated user information.
 35- Investigate the history of the identified user account to determine if there are any other suspicious activities or patterns of behavior.
 36- Assess the current permissions on the AdminSDHolder object and compare them with the expected baseline to identify unauthorized changes.
 37- Check for any recent changes in group memberships or permissions of privileged accounts that could indicate exploitation of the AdminSDHolder backdoor.
 38- Collaborate with the IT or security team to determine if the changes were authorized or if further action is needed to secure the environment.
 39
 40### False positive analysis
 41
 42- Routine administrative changes to the AdminSDHolder object can trigger alerts. To manage this, establish a baseline of expected changes and create exceptions for these known activities.
 43- Scheduled maintenance or updates to Active Directory may result in temporary modifications to the AdminSDHolder object. Document these events and exclude them from triggering alerts during the maintenance window.
 44- Automated scripts or tools used for Active Directory management might modify the AdminSDHolder object as part of their normal operation. Identify these tools and whitelist their activities to prevent false positives.
 45- Changes made by trusted security personnel or systems should be logged and reviewed. Implement a process to verify and exclude these changes from alerting if they are part of approved security operations.
 46
 47### Response and remediation
 48
 49- Immediately isolate the affected system from the network to prevent further unauthorized access or privilege escalation.
 50- Revert any unauthorized changes to the AdminSDHolder object by restoring it from a known good backup or manually resetting its permissions to the default secure state.
 51- Conduct a thorough review of all privileged accounts and groups to ensure their permissions align with organizational security policies and have not been altered to match the compromised AdminSDHolder settings.
 52- Reset passwords for all accounts that were potentially affected or had their permissions altered, focusing on privileged accounts to prevent adversaries from regaining access.
 53- Implement additional monitoring on the AdminSDHolder object and other critical Active Directory objects to detect any future unauthorized modifications promptly.
 54- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach, including identifying any other compromised systems or accounts.
 55- Review and update access control policies and security configurations to prevent similar attacks, ensuring that only authorized personnel have the ability to modify critical Active Directory objects."""
 56references = [
 57    "https://adsecurity.org/?p=1906",
 58    "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder",
 59]
 60risk_score = 73
 61rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18"
 62severity = "high"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Persistence",
 68    "Use Case: Active Directory Monitoring",
 69    "Data Source: Active Directory",
 70    "Data Source: Windows Security Event Logs",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "query"
 75
 76query = '''
 77event.code:5136 and winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*
 78'''
 79
 80
 81[[rule.threat]]
 82framework = "MITRE ATT&CK"
 83[[rule.threat.technique]]
 84id = "T1078"
 85name = "Valid Accounts"
 86reference = "https://attack.mitre.org/techniques/T1078/"
 87[[rule.threat.technique.subtechnique]]
 88id = "T1078.002"
 89name = "Domain Accounts"
 90reference = "https://attack.mitre.org/techniques/T1078/002/"
 91
 92
 93[[rule.threat.technique]]
 94id = "T1098"
 95name = "Account Manipulation"
 96reference = "https://attack.mitre.org/techniques/T1098/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"