AD-ADMINSDHOLDERPersistence

AdminSDHolder Abuse

Modify AdminSDHolder ACL; SDPROP propagates the rogue ACE to all protected accounts hourly.

§ Where this technique fits

AD-ADMINSDHOLDER is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 4.7 on average.

§ Dossiers chaining this technique

Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder
Once Domain Admin is achieved, plant layered persistence so a krbtgt rotation, password resets, and ACL clean-up do not all evict the attacker.
step 4 / 7
ProxyLogon → webshell on Exchange → DA
Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.
step 5 / 6
ProxyShell → SYSTEM on Exchange → DA
Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.
step 5 / 6

§ What commonly comes next

01
DCSync
T1003.006 · Credential Access
seen 2×
02
DCShadow
AD-DCSHADOW · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder

ProxyLogon → webshell on Exchange → DA

ProxyShell → SYSTEM on Exchange → DA

§ What commonly comes next