Dynamic Objects in Active Directory The Stealthy Threat

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.tenable.com/blog/active-directory-dynamic-objects-stealthy-threat
• Blog Title: Dynamic Objects in Active Directory: The Stealthy Threat
• Suggested Section: Windows Hardening -> Active Directory Methodology (new page: "AD Dynamic Objects (dynamicObject) for Anti-Forensics / Evasion"; include subsections for MAQ abuse, primaryGroupID stealth membership, AdminSDHolder orphan-SID ACL pollution, dynamic GPO and AD-integrated DNS tricks, and hybrid Entra delta-sync deletion gap as a note)

🎯 Content Summary

Title / context
The post (Tenable Research, published Feb 20, 2026) explains how Active Directory Dynamic Objects (objects created with auxiliary class dynamicObject) can be abused as an anti-forensics primitive. Dynamic objects self-delete when their TTL expires and, crucially, do not create tombstones / recycle-bin artifacts. This makes many investigations fail post-mortem because the originating LDAP object and its metadata disappear, while ...

🔧 Technical Details

Dynamic object anti-forensics (tombstone bypass): Create AD objects with auxiliary class dynamicObject so they have entryTTL (seconds countdown) and msDS-Entry-Time-To-Die (absolute expiry). When TTL reaches 0, AD Garbage Collector deletes the object without recycle-bin/tombstone artifacts, preventing recovery/attribution. TTL min/default is governed by msDS-Other-Settings (DynamicObjectMinTTL/DynamicObjectDefaultTTL), and deletion may be delayed briefly (observed up to ~15 minutes), so detection must be near real time.

MAQ bypass with self-deleting computer objects: Abuse default ms-DS-MachineAccountQuota (10) to create dynamic Computer objects; after expiry the quota slot is freed and the created account disappears. In PowerMad’s New-MachineAccount, add dynamicObject to the objectClass list (replace "objectClass","Computer" wi...

🤖 Agent Actions

Updated Active Directory methodology with a new page detailing dynamicObject anti-forensics: mechanics/TTL controls, MAQ evasion, stealth primaryGroupID abuse, AdminSDHolder orphan-SID pollution, dynamic GPO execution cleanup, ephemeral AD-integrated DNS redirection, and Entra delta-sync gaps. Linked this page into the AD methodology README under a new “Dynamic Objects Anti-Forensics / Evasion” subsection. References include the Tenable research blog.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.tenable.com/blog/active-directory-dynamic-objects-stealthy-threat

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (new page: "AD Dynamic Objects (dynamicObject) for Anti-Forensics / Evasion"; include subsections for MAQ abuse, primaryGroupID stealth membership, AdminSDHolder orphan-SID ACL pollution, dynamic GPO and AD-integrated DNS tricks, and hybrid Entra delta-sync deletion gap as a note)".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0