Dynamic Objects in Active Directory: The Stealthy Threat

Source: Tenable Blog

Author: Antoine Cauchois

URL: https://www.tenable.com/blog/active-directory-dynamic-objects-stealthy-threat

ONE SENTENCE SUMMARY:

Active Directory dynamic objects enable stealthy attacks by self-deleting without tombstones, leaving only confusing artifacts and requiring real-time detection.

MAIN POINTS:

1. Dynamic objects use a TTL timer to self-destruct via the AD garbage collector.
2. Expired dynamic objects bypass recycle bin and tombstones, eliminating directory-side forensic metadata.
3. Deletion timing may lag up to 15 minutes, briefly enabling live inspection opportunities.
4. entryTTL and msDS-Entry-Time-To-Die jointly represent countdown and absolute expiration.
5. TTL limits are governed by msDS-Other-Settings, including minimum and default lifetimes.
6. Attackers can evade MAQ evidence by creating self-deleting dynamic computer accounts.
7. primaryGroupID can reference a dynamic group, yielding invisible membership and later corruption.
8. Orphan SIDs persist in ACLs, including AdminSDHolder, polluting Tier-0 permissions visibility.
9. Dynamic GPOs can execute via malicious gPCFileSysPath, then vanish leaving broken gPLink traces.
10. Entra Connect may miss dynamic deletions, leaving orphaned, functional cloud users indefinitely.

TAKEAWAYS:

1. Favor in-flight detection over post-mortems because directory evidence can fully disappear.
2. Monitor and alert on creation of objects with entryTTL or msDS-Entry-Time-To-Die set.
3. Reduce attack surface by setting ms-DS-MachineAccountQuota to zero where feasible.
4. Hunt for inconsistencies: unresolved SIDs, broken gPLinks, corrupted primaryGroupID references.
5. Validate hybrid identity hygiene by detecting and remediating Entra ID orphans from dynamic objects.