Complete list of Sneaky Active Directory Persistence Tricks posts\u00a0<\/a><\/p>\n AdminSDHolder Overview<\/strong><\/span><\/p>\n AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that don\u2019t match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder.<\/p>\n Objects protected by AdminSDHolder have the attribute \u201cAdminCount\u201d set to 1 and security inheritance is disabled.<\/p>\n Note that when an object is removed from one of the protected groups, AdminCount is not set to another value. This is due to early feedback when Windows 2000 was released.<\/p>\n Note that this article by Jim Sykora<\/a> clarifies the interaction of AdminSDHolder and SDProp, including misconceptions.<\/p>\n <\/p>\n The AdminSDHolder object permissions are used as an ACL template for domain privileged groups.<\/p>\n Relevant AdminSDHolder default ACLs:<\/p>\n <\/p>\n SDProp Protected Objects (Windows Server 2008 & Windows Server 2008 R2):<\/p>\n A subset of these groups can be excluded from control, including Account Operators, Server Operators, Print Operators, Backup Operators.<\/p>\n <\/p>\n Around 60 minutes later, the PDC Emulator runs and the account now has full control on the Domain Admins group.<\/p>\n Or, run SDPRop manually.<\/p>\n In Windows Server 2008 R2, Microsoft introduced a new rootDSE LDAP modify operation, called RunProtectAdminGroupsTask, to start the AdminSDHolder process.<\/p>\n The new Windows 2008 R2 RunProtectAdminGroupsTask-based mechanism provides a more efficient mechanism to enforce AdminSDHolder application. Under the hood, the older FixUpInheritance-based mechanism doesn’t really kick off the AdminSDHolder process\u2014it starts the Security Descriptor Propagator Update (SDProp) process. SDProp has the same effect on the ACLs of critical security groups and accounts but takes much longer to complete. SDProp is the background AD process that propagates changes of inheritable ACEs on parent objects to their child objects. It’s automatically triggered when an object\u2019s ACL is modified or when an object is moved. SDProp affects all AD child objects\u2019 ACLs and not only the ACLs of critical AD security groups and accounts and will thus consume much more DC processing time. <\/p>\n FixUpInheritance (prior to Windows 2008 R2):<\/p>\n Windows 2008 R2 RunProtectAdminGroupsTask-based mechanism:<\/p>\n <\/p>\n Add the account or group to the AdminSDHolder object permissions granting either Full Control or Modify rights. After running SDProp, Bobafett is automatically added to the Domain Admins group (along with the others listed above). Now this account can modify the Domain Admins group membership.<\/p>\n Note that the user account Bobafett has no group membership.<\/p>\n Despite not being a member of any groups, this account can now modify the group membership of Domain Admins.<\/p>\n AdminSDHolder is a sneaky method for an attacker to persist granting the ability to modify the most privileged groups in Active Directory by leveraging a key security component. Even if the permissions are changed on a protected group or user, SDProp will change the securtiy permissions to match that of the AdminSDHolder object.<\/p>\n <\/p>\n Monitor the ACLs configured on the AdminSDHolder object. These should be kept at the default – it is not usually necessary to add other groups to the AdminSDHolder ACL.<\/p>\n Monitor users and groups with AdminCount = 1 to identify accounts with ACLs set by SDProp. Import-Module ActiveDirectory <\/p>\n References:<\/strong><\/span><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method at DerbyCon (2015). Complete list of Sneaky Active Directory Persistence Tricks posts\u00a0 AdminSDHolder Overview AdminSDHolder is an object located in … <\/p>\n![\"SneakyADPersistence-AdminSDProp-AdminSDHolder-ADObject\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-AdminSDHolder-ADObject.jpg\")
<\/a><\/p>\nDefault AdminSDHolder Security ACLs<\/strong><\/span><\/h4>\n
\n
![\"SneakyADPersistence-AdminSDProp-AdminSDHolder-ADObject-DefaultACLs\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-AdminSDHolder-ADObject-DefaultACLs.jpg\")
<\/a><\/p>\nAdminSDHolder Default Protected Objects
\n<\/strong><\/span><\/h4>\n\n
\nSDProp Reference on WindowsITPro.com<\/a><\/p><\/blockquote>\nManual triggering of the SDProp process<\/span><\/strong><\/h4>\n
![\"Get-AdminSDProp-ManuallyRun-FixUpInheritance\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/Get-AdminSDProp-ManuallyRun-FixUpInheritance.jpg\")
<\/a><\/p>\n![\"SneakyADPersistence-AdminSDProp-ManuallyRun-WindowsServer2008R2Method-RunProtectAdminGroupsTask\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-ManuallyRun-WindowsServer2008R2Method-RunProtectAdminGroupsTask.jpg\")
<\/a><\/p>\nExploiting AdminSDHolder & SDProp<\/strong><\/span><\/h4>\n
\nThe user “Bobafett” is added in this example.<\/p>\n![\"SneakyADPersistence-AdminSDProp-SecuritySettings-Bobafett-FullControl\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-SecuritySettings-Bobafett-FullControl.jpg\")
<\/a><\/p>\n![\"SneakyADPersistence-AdminSDProp-DomainAdmins-SecuritySettings-Bobafett-FullControl\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-DomainAdmins-SecuritySettings-Bobafett-FullControl.jpg\")
<\/a><\/p>\n![\"SneakyADPersistence-AdminSDProp-BobaFett-UserRights-GetADUser-02\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-BobaFett-UserRights-GetADUser-02.jpg\")
<\/a><\/p>\n![\"SneakyADPersistence-AdminSDProp-BobaFett-Add-JoeUser-DomainAdminsGroup-01\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-BobaFett-Add-JoeUser-DomainAdminsGroup-01.jpg\")
<\/a><\/p>\n![\"SneakyADPersistence-AdminSDProp-BobaFett-Add-JoeUser-DomainAdminsGroup-02\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyADPersistence-AdminSDProp-BobaFett-Add-JoeUser-DomainAdminsGroup-02.jpg\")
<\/a><\/p>\nConclusion:<\/strong><\/span><\/h4>\n
Detection:<\/strong><\/span><\/h4>\n
\nFind all users with security ACLs set by SDProp using the PowerShell AD cmdlets:<\/p>\n
\nGet-ADObject -LDAPFilter “(&(admincount=1)(|(objectcategory=person)(objectcategory=group)))” -Properties MemberOf,Created,Modified,AdminCount<\/p><\/blockquote>\n\n