RODC Manage

Description

The Source security principal is found in the "ManagedBy" attribute of the Target Read-Only Domain Controller (RODC). This means that the Source has administrative rights over the Target RODC.

Note: Other Active Directory object types use the same "ManagedBy" attribute for informational purposes only, and do not give any administrative rights to the declared manager. Therefore, this relation exists only for Target nodes of the RODC type.

RODCs are less sensitive than the more common writable Domain Controllers, but they are still a high-value target for attackers because they can steal credentials from RODCs to allow them to pivot further to other systems. This depends on the level of hardening in the RODC's configuration – for example, the number of objects with secrets that it can synchronize.

Exploitation

The exploitation method is identical to that of the "AdminTo" relation.

Attackers who compromise the Source security principal can use its identity to connect remotely and execute commands on the Target RODC with administrative rights. They can exploit available native protocols such as Server Message Block (SMB) with administrative shares, Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), Remote Procedure Call (RPC), Windows Remote Management (WinRM), etc.

Attackers can use native remote administration tools such as PsExec, services, scheduled tasks, Invoke-Command, etc., or specialized hacker tools such as wmiexec, smbexec, Invoke-DCOM, SharpRDP, etc.

The attack's final goal can either be to compromise the Target RODC or to use credential dumping tools such as mimikatz to obtain more credentials and secrets to pivot to other machines.

Remediation

If the Source security principal is not a legitimate administrator of the Target Read-Only Domain Controller (RODC), then you must replace it with a proper administrator.

Note that Domain Admins do not generally administer RODCs, hence the dedicated "managed by" setting. This is because RODCs have a lower trust level and high-privilege Domain Admins should not expose their credentials by authenticating on them.

Therefore, you must select a proper "middle-level" administrator for RODCs according to your Active Directory RODC rules – for example, the IT administrator of an organization's local branch where they are located.

To change the "ManagedBy" attribute:

  1. In "Active Directory Users and Computers", select the RODC > Properties > "ManagedBy" tab.

  2. Click Change.

You can also run the following command in PowerShell:

Copy
 Set-ADComputer <rodc> -ManagedBy (Get-ADUser <rodc_admin>)

See also