H3-2023-0029¶

Password in Active Directory User Attribute

Description¶

User objects within Active Directory have attributes that can be added/deleted/edited by a privileged user. Several of these attributes might contain cleartext passwords utilized by third-party software that integrate with AD and LDAP. These fields include userPassword, unicodePwd, UnixUserPassword, and sfupassword.

Impact¶

An authenticated attacker could pilfer possible passwords stored in Active Directory User Attributes and attempt to log in to the domain - leading to Domain User Compromise.

References¶

• Bloodhound - User Node Properties
• Microsoft Open Specifications - Active Directory Schema, Attribute userPassword
• MITRE ATT&CK Technique: T1552: Unsecured Credentials