Sneaky Persistence via Hidden Objects in AD

  • hide AD objects, such as a user account, so they do not show in Active Directory Users & Computers (ADUC)
  • hide a user so that it does not show up in queries
  • Create an OU with an innocuous name
  • Bury it somewhere in the hierarchy where it does not look out of place
  • Modify the default ACL on an OU
  • Add a Deny statement that prevents Everyone from ListChildren
$OUs = (Get-ADOrganizationalUnit -Filter *).DistinguishedName
ForEach ($OU in $OUs)
$OU | Out-File -FilePath C:\Temp\fishy.txt -Append
(Get-Acl $OU).Access | Where {(($_.ActiveDirectoryRights -like “*ListChildren*”) -or ($_.ActiveDirectoryRights -like “*ListObject*”)) -and ($_.AccessControlType -eq “Deny”)} | Out-File C:\Temp\fishy.txt -Append
Get-Content C:\Temp\fishy.txt | Select-String “ListChildren” -Context 9
#Show groups/users who can DCSync
#Also expands all nested groups/users in those groups
#If you don’t have a c:\Temp then just adjust that part of the script
$ErrorActionPreference = “SilentlyContinue”
Import-Module ActiveDirectory
Set-Location AD:
$owner = (Get-Acl (Get-ADDomain).DistinguishedName).owner
Write-Host “$owner owns this object. Owners have implicit privilege to do anything.”
$suspects = ((Get-ACL (Get-ADDomain).DistinguishedName).Access | Where {((($_.ActiveDirectoryRights -like “*ExtendedRight*”) -and (($_.ObjectType -eq “1131f6aa-9c07–11d1-f79f-00c04fc2dcd2”) -or ($_.ObjectType -eq “1131f6ad-9c07–11d1-f79f-00c04fc2dcd2”) -or ($_.ObjectType -eq “00000000–0000–0000–0000–000000000000”))) -or ($_.ActiveDirectoryRights -like “*GenericWrite*”) -or ($_.ActiveDirectoryRights -like “*GenericAll*”) -or ($_.ActiveDirectoryRights -like “*WriteDACL*”) -or ($_.ActiveDirectoryRights -like “*WriteOwner*”) -and ($_.AccessControlType -eq “Allow”))}).IdentityReferenceWrite-Host “These groups can execute DCSync. Nested users in those groups listed below:”
$suspects | Out-File C:\Temp\suspects.txt -Append
ForEach($suspect in $suspects)
$temp = ($suspect -split “ \ “)[0]
$group = ($temp.Split(“\”)[1])
$members = (Get-ADGroupMember -Identity $group -Recursive).Name
$members | Out-File C:\Temp\suspects.txt -Append
Get-Content C:\Temp\suspects.txt | Sort-Object -Unique



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.