![](\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\")
Today a Sunday security snippet. It's about Active Directory and its administration, including the question of how someone who used to be an admin can leave behind a kind of 'backdoor', through which he could later make himself an administrator again.<\/p>\n
<\/p>\n
It is mainly an info splitter for pentesters and responsible administrators of Active Directory environments who don't know the problem yet. In short: An administrator removes his account superficially – so he doesn't belong to the circle of administrators anymore. But he does this step in such a way that he later has access to the user administration again and can upgrade himself to administrator.<\/p>\n
When controlling the users of the Administrators group, this would not be noticeable. So it would be something like an invisible backdoor or a Trojan for administrators – a technique that hackers can also use if they have compromised a system and need a backdoor for later that doesn't attract attention. I became aware of this topic through the following tweet by Kevin Beaumont.<\/p>\n
\nOne for red teams and haxxors – great blog by @huykh4 around a new technique to backdoor Active Directory Domain Admins so you can add yourself in at any time later, even when not an admin. Trojan Domain Admin basically. https:\/\/t.co\/5ZgcEDXLwO<\/a><\/p>\n
\u2014 Kevin Beaumont (@GossiTheDog) 12. Juli 2019<\/a><\/p><\/blockquote>\n