DynamicPacks SmartProfiler for Active Directory can check Risky Items to eliminate security threats

BELLEVILLE, Ontario - June 28, 2023 - PRLog -- When it comes to assessing the security of Active Directory, two crucial aspects demand attention: the possibility of an ongoing attack and the likelihood of a previous compromise. When evaluating the status of risky items in Active Directory, it is essential to consider both perspectives: investigating for signs of a potential compromise and determining if an active attack is underway. Drawing from my experience working with Active Directory and referencing both ANSSI and MITRE frameworks, DynamicPacks Technologies have managed to compile a list of risky items and included in free version of SmartProfiler-Active Directory Security Console.

In Active Directory, certain objects remain hidden from regular users but can be recognized and examined by Active Directory experts or potential attackers. Though there are many objects/containers, but I would like to focus on AdminSDHolder container which directly impacts the privileged groups and admin accounts. AdminSDHolder container is intentionally not visible to normal users as non-domain users typically do not interact with the AdminSDHolder container. This container serves as a critical component within Active Directory as it contains essential permissions for privileged accounts and groups. Every domain in Active Directory possesses an AdminSDHolder container, which signifies to the system that the permissions assigned to the AdminSDHolder object hold authority over the entire domain. The default permissions assigned to the AdminSDHolder object are designed to safeguard the domain from unauthorized access and malicious intruders.

If any alterations are detected on the AdminSDHolder container's permissions, it indicates that either a compromise has already occurred, or an attack is underway. When inspecting AdminSDHolder container you must inspect following aspects:

• Ensure AdminSDHolder object was not modified in last 30 days or recently.
• Ensure no "Full Control" or "Write" Permission on AdminSDHolder to "non-domain User" accounts.
• Ensure there are no orphaned Admins on the AdminSDHolder container.
• Ensure there are no excluded groups by SDProp process.
• Ensure Inheritance on AdminSDHolder is disabled.
• Ensure SDProp (Security Descriptor Propagator) Interval was not modified.

All of the above AdminSDHolder container elements, as well as other Active Directory Risky items and their status, can be checked using the free version of SmartProfiler for Active Directory Security Console.

Download SmartProfiler for Active Directory Security Console from here:
https://microsoft-assessment.com/checking-status-of-risky...