AdminSDHolder abuse: when your cleanup is reverted every hour

AdminSDHolder is a single object whose access control list Active Directory copies onto every protected, privileged object roughly every hour. An attacker who writes a rogue entry there turns the directory’s own mechanism into durable persistence.

How the attack works

The attacker adds a full-control entry for a low-privileged account they control onto the AdminSDHolder object in the System container. The Security Descriptor Propagator, which runs on the PDC emulator about hourly, copies that access control list onto every protected object, so the controlled account now has full control over Domain Admins and other privileged groups. A defender removes the rogue entry from Domain Admins, believes it fixed, and watches the next propagation cycle re-stamp it within the hour. The controlled account adds itself to Domain Admins at will, then removes itself, leaving the persistent grant in place. In ATT&CK terms this is T1098, Account Manipulation, with T1078.002, valid domain accounts.

Why it works

Protected objects have inheritance disabled and take their access control list from one source object. So the same rogue entry appears synchronously across many privileged objects and returns after deletion, because the source is still malicious.

How to fix it

Fix the entry on the AdminSDHolder object itself, then the next propagation cycle re-stamps a clean access control list everywhere and the reversion loop ends. Do not disable the propagator, which is a protective control, and do not chase the downstream groups, which loses every cycle. A password reset does not remove a control-granting entry. Then remove the excessive write rights that let a non-Tier-0 principal modify AdminSDHolder, treat the controlling account as compromised, and baseline and alert on the AdminSDHolder access control list.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse the reappearing-entry detection and the fix-the-template containment.