Attack Chain

1. The attacker gains initial access to a privileged account capable of modifying Active Directory attributes.
2. The attacker identifies the AdminSDHolder object and the groups currently protected by SDProp.
3. The attacker modifies the dsHeuristics attribute using tools like ADSI Edit or PowerShell to exclude specific privileged groups (e.g., Domain Admins) from SDProp. This involves manipulating the binary representation of the attribute value.
4. The attacker makes unauthorized changes to the permissions, group memberships, or other security settings of the excluded groups.
5. SDProp no longer resets the permissions of the excluded groups to match the AdminSDHolder object, effectively preserving the attacker’s modifications.
6. The attacker leverages their persistent access to the compromised privileged accounts and groups to perform lateral movement, escalate privileges, and access sensitive data.
7. The attacker may create new accounts and add them to the excluded groups, granting them persistent access to the domain.
8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or complete domain compromise, using the persistently compromised accounts and groups.

Impact

Successful exploitation allows attackers to maintain persistent access to privileged accounts, even after security configurations are supposedly reset by SDProp. This persistence can lead to widespread damage, including complete domain compromise, data exfiltration, and ransomware deployment. The scope of the impact depends on the level of access granted to the compromised accounts. If Domain Admins are compromised, the entire Active Directory forest can be considered at risk.

Recommendation

• Enable “Audit Directory Service Changes” and monitor Windows Security Event Logs for Event ID 5136 with AttributeLDAPDisplayName : "dSHeuristics" to detect modifications to the dsHeuristics attribute.
• Deploy the Sigma rule “AdminSDHolder SDProp Exclusion Added” to your SIEM to detect suspicious modifications to the dsHeuristics attribute. Tune the rule based on your environment and known directory configuration workflows.
• Investigate any detected modifications to the dsHeuristics attribute, focusing on the winlog.event_data.OperationType and winlog.event_data.AttributeValue fields to determine the nature of the change and the groups affected.
• Correlate Event ID 5136 with Event ID 4624 (An account was successfully logged on) using winlog.event_data.SubjectLogonId to identify the source of the directory change.
• Regularly review and validate the configuration of the AdminSDHolder object and the dsHeuristics attribute to ensure that privileged groups are properly protected by SDProp.