Directory Insights in 10 Minutes
🎙️ In This Episode of Directory Insights in 10 Minutes Craig Birch breaks down the misunderstood AdminSDHolder object and the SDProp process in Active Directory—why they exist, how they protect privileged groups, and how attackers exploit misconfigurations to maintain persistence. 🔍 What You’ll Learn: • What AdminSDHolder and SDProp actually do • Why they matter for Tier 0 group protection • How attackers abuse them for persistent elevated access • Which ACLs and inherited permissions to look for • PowerShell methods to quickly audit for dangerous ACEs 🛠️ PowerShell Script – AdminSDHolder ACL Audit # Get AdminSDHolder ACL and filter for dangerous ACEs $domainNC = (Get-ADDomain).DistinguishedName $adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC" $acl = (Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor).nTSecurityDescriptor $dangerousACEs = $acl.Access | Where-Object { $_.AccessControlType -eq "Allow" -and $_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteDacl|WriteOwner" } $dangerousACEs | Format-Table IdentityReference, ActiveDirectoryRights ✅ Run this to find potentially exploitable permissions in protected AD groups. 📌 Brought to you by Guardians of the Directory
11 afleveringen
Reacties
0Wees de eerste die een reactie plaatst
Meld je nu aan en word lid van de Directory Insights in 10 Minutes community!