๐ Secure Bits ๐ก
Did you know ๐๐ผ๐ ๐ฐ๐ฎ๐ป ๐ต๐ถ๐ฑ๐ฒ ๐๐ผ๐บ๐ฎ๐ถ๐ป ๐๐ฑ๐บ๐ถ๐ป๐ from standard discoveryโeven from other admins?
Active Directory is a โ๐ฟ๐ฒ๐ฎ๐ฑ-๐บ๐ฎ๐ป๐โ ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐ by design.
But ๐๐ถ๐๐ ๐ข๐ฏ๐ท๐ฒ๐ฐ๐ ๐ ๐ผ๐ฑ๐ฒ (๐๐ข๐ ) can change that.
๐ต๏ธโโ๏ธ Martin Handl shows how to leverage LOM to make Tier-0 accounts completely invisible to lower-tier admins.
๐งย ๐๐ผ๐ ๐ถ๐ ๐๐ผ๐ฟ๐ธ๐:
1๏ธโฃ ๐๐ป๐ฎ๐ฏ๐น๐ฒ ๐๐ถ๐๐ ๐ข๐ฏ๐ท๐ฒ๐ฐ๐ ๐ ๐ผ๐ฑ๐ฒ (๐๐ข๐ )
Set dSHeuristics=001 in ADโs Configuration partition. No restart neededโtakes effect instantly across the forest.
2๏ธโฃ ๐จ๐๐ฒ ๐๐ฝ๐ฒ๐ฐ๐ถ๐ฎ๐น ๐๐๐ ๐ฐ๐ผ๐บ๐ฏ๐ถ๐ป๐ฎ๐๐ถ๐ผ๐ป๐:
On the parent OU: Deny List contents
On the Tier-0 object itself: Deny List object
Together, this hides the objectโeven if a user has read access on the directory.
3๏ธโฃ ๐๐ฒ๐ ๐๐ฑ๐บ๐ถ๐ป๐ฆ๐๐๐ผ๐น๐ฑ๐ฒ๐ฟ ๐ฝ๐ฟ๐ผ๐ฐ๐ฒ๐๐ย ๐ฑ๐ผ ๐๐ต๐ฒ ๐๐ผ๐ฟ๐ธ:
Apply custom ACLs to the AdminSDHolder containerโthose propagate automatically to all protected Tier-0 accounts every hour.
Bonus: Martin provides a PowerShell script to apply/revert this across any OU.
๐๏ธ ๐ช๐ต๐ฎ๐โ๐ ๐๐ต๐ฒ ๐ฒ๐ณ๐ณ๐ฒ๐ฐ๐?
From the viewpoint of Tier-1 or Tier-2 users (like helpdesk or server admins), the hidden accounts donโt exist.
No group listing, no LDAP enumeration, no PowerShell output.
๐ ๐จ๐๐ฒ ๐ฟ๐ฒ๐๐ฝ๐ผ๐ป๐๐ถ๐ฏ๐น๐:
Hiding is not a replacement for proper security controls (Tiering, Security Baselines, LAPS, Role Separation, …, ). But it adds another layerโobscurity that frustrates attackers and tools alike.
๐ ๐๐๐น๐น ๐ฝ๐ผ๐๐ + ๐ฃ๐ผ๐๐ฒ๐ฟ๐ฆ๐ต๐ฒ๐น๐น ๐๐ฐ๐ฟ๐ถ๐ฝ๐ by Martin Handl: https://www.linkedin.com/feed/update/urn:li:activity:7353348333903482880/
๐๐ถ๐ฑ๐ถ๐ป๐ด ๐ฐ๐ฎ๐ป ๐ฏ๐ฒ ๐ฎ๐น๐๐ผ ๐๐๐ฒ๐ฑ ๐ฏ๐ ๐ฎ๐ป ๐ฎ๐๐๐ฎ๐ฐ๐ธ๐ฒ๐ฟ, are you sure nothing hides in your Active Directory? How do you search for something like that?
โ
PS: I got you covered, ๐๐๐ฃ๐ฟ๐ผ๐ฏ๐ฒ can discover hidden accounts…
