In this post, we will discuss the Persistence attack on Active Directory by abusing AdminSDHolder. This attack is an actual threat because of This attack leverages another dynamic attack, such as  DCSync Attack and Golden Ticket Attack.

AdminSDHolder

Active Directory Domain Services uses AdminSDHolder, protected groups, and Security Descriptor propagator (SD propagator or SDPROP for short). To secure privileged users and groups from unintentional modification. Unlike most objects in the Active Directory domain, which are owned by the Administrators group, AdminSDHolder is owned by the Domain Admins group.

The AdminSDHolder object has a unique Access Control List (ACL). This is used to control the permissions of security principals that are members of built-in privileged Active Directory groups.  Every hour, a background process runs on the domain controller to compare manual modifications to an ACL. Then, overwrites them so that the ACL matches the ACL on the AdminSDHolder object.

Read from here for more details.

AdminSDHolder Persistence Attack

On a compromised domain controller with administrator privileges, the attacker is capable of creating a permanent backdoor for future attacks by abusing AdminSDHolder. With the help of this attack, we will be able to alter AdminSDHolder by adding a new user to its Access Control List.

Here we will try to add user Yashika to the ACL of the AdminSDHolder object in order to change the privilege for user Yashika. Current User yashika is a domain user as shown below.

Follow the step to learn how an attacker can conduct AdminSDHolder attack.

1. Navigate to Active Director User and Computers
2. Explore Menu > View> Advanced Features

3. Explore System > AdminSDHolder > Properties

Add the user to whom you want to give Full Permission. Here I have chosen user: “Yashika”

 Give Full Permission by enabling All checkbox.

As we mentioned, the background process typically runs every sixty (60) minutes by default. However, you can change the default frequency for the Security Descriptor Propagator process. You can do this by creating a REG_DWORD registry entry and then setting the new frequency value.

Additionally, if you have compromised a Domain Controller (DC), you can reset the Security Descriptor Propagator process to run every 3 minutes. You can do this by executing the following command in the command prompt. Note that 300 is the decimal equivalent, while 12c is the hexadecimal equivalent.

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D 300

To ensure the fruitful result of the above command, explore the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

After three minutes, we checked to identify for user “yashika” using the net user command. We noticed Yashika has become a member of the domain admin group.

net user yashika /Domain

Even if the administrator tries to remove Yashika from the domain admin group. After 3 minutes, due to the Security Descriptor Propagator process, it will again add Yashika into the  Domain Admin Group.

Related posts:

Domain Persistence: Golden Certificate Attack Domain Persistence: Computer Accounts