Active Directory Security: Leverage AdminSDHolder for persistent backdoor in AD

Leverage AdminSDHolder for persistent backdoor in AD

Each domain in Active Directory contains an AdminSDHolder object which resides in System partition of a domain. Distinguished Name (DN) of this object is “CN=AdminSDHolder, CN=System, DC=PENLAB, DC=LOCAL”.  Active Directory Domain Services uses this object, protected groups and SDPROP to secure privileged users and groups from unintentional modification. The AdminSDHolder object has unique set of Access Control List (ACL) which is used to control the permission of security principals that are member of built-in privileged Active Directory groups. Each time the process runs on PDC Emulator operation master role, it compare the ACL on all security principals (users, groups, and computers) that belong to protected groups against the ACL of AdminSDHolder object.

Protected Objected

 Listed groups and their members are protected by AdminSDHolder object. Look for the AdminCount attribute in Active Directory with value set to 1. AdminCount value never set back to 0 even though account is removed from the protected groups. This is by design as per Microsft.

•          Account Operators
•         Administrators
•         Administrator
•         Backup Operators
•         Domain Admins
•         Domain Controllers
•         Enterprise Admins
•         Schema Admins
•         Krbtgt
•        Print Operators
•         Read-only Domain Controllers
•          Server Operators
•         Replicators

Default AdminSDHolder object ACL

•         Authenticated Users: Read
•         SYSTEM: Full Control
•         Administrators: Modify
•         Domain Admins: Modify
•         Enterprise Admins: Modify

SDPROP process runs every 60 minutes and reset the ACL as per AdminSDHolder object if found modified. This process can be run manually.

AdminSDHolder object

An attacker can use AdminSDHolder object to grant the ability to modify the privileged groups in Active Directory by leveraging a key security component. This will provide an attacker, persist way of exploiting the Active Directory.  Even the system administrator or Active Directory Administrator changed the protected group or user, SDPROP will change the security ACL as per of the AdminSDHolder.

1. Open AdminSDHolder object and check the default permission
2. Add domain account penlab\pentest1 to AdminSDHolder object permission and grant Full Control.


3. Verify the user pentest1 is only Domain Users group member

4   Run the SDPROP manually or just wait for next cycle of the process

5   Open the Domain Admins group property and see that penlab\pentest1 is added to security permission with full control

6   Logon with penlab\pentest1 account to a member server or workstation and open Active Directory snap-in. Since this user have full access to object, add the pentest1 account to Domain Admins or Enterprise Admin

 Add pentest1 account to Domain Admins group

7    Now the penlab\pentest1 become the Domain Admins

8    Penlab\pentest1 user account now is able to manipulate not only high privileged group but also all the privileged user accounts, like enable, disable, deletion, creation and a lot

Detection and Control

It is now so important to monitor the ACLs configured on the AdminSDHolder object. It is recommended to keep the default ACL unless there is an absolute requirement to add a group or user. Monitor the users and groups with attribute AdminCount set to 1 to identify accounts with ACLs set by SDPROP