Today a Sunday security snippet. It's about Active Directory and its administration, including the question of how someone who used to be an admin can leave behind a kind of 'backdoor', through which he could later make himself an administrator again.
Advertising
It is mainly an info splitter for pentesters and responsible administrators of Active Directory environments who don't know the problem yet. In short: An administrator removes his account superficially – so he doesn't belong to the circle of administrators anymore. But he does this step in such a way that he later has access to the user administration again and can upgrade himself to administrator.
When controlling the users of the Administrators group, this would not be noticeable. So it would be something like an invisible backdoor or a Trojan for administrators – a technique that hackers can also use if they have compromised a system and need a backdoor for later that doesn't attract attention. I became aware of this topic through the following tweet by Kevin Beaumont.
One for red teams and haxxors – great blog by @huykh4 around a new technique to backdoor Active Directory Domain Admins so you can add yourself in at any time later, even when not an admin. Trojan Domain Admin basically. https://t.co/5ZgcEDXLwO
— Kevin Beaumont (@GossiTheDog) 12. Juli 2019
The article with the explanations can be found now within the Pentest-Magazin Hiding in the Shadows at ''ManagedBy'' Attribute. Perhaps it is useful for one or the other administrator from this environment.
