Active Directory Administrator ‘Backdoor’

Today a Sunday security snippet. It's about Active Directory and its administration, including the question of how someone who used to be an admin can leave behind a kind of 'backdoor', through which he could later make himself an administrator again.


It is mainly an info splitter for pentesters and responsible administrators of Active Directory environments who don't know the problem yet. In short: An administrator removes his account superficially – so he doesn't belong to the circle of administrators anymore. But he does this step in such a way that he later has access to the user administration again and can upgrade himself to administrator.

When controlling the users of the Administrators group, this would not be noticeable. So it would be something like an invisible backdoor or a Trojan for administrators – a technique that hackers can also use if they have compromised a system and need a backdoor for later that doesn't attract attention. I became aware of this topic through the following tweet by Kevin Beaumont.

The article with the explanations can be found now within the Pentest-Magazin Hiding in the Shadows at ''ManagedBy'' Attribute. Perhaps it is useful for one or the other administrator from this environment.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *