{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/adminsdholder/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["active-directory","persistence","adminsdholder","sdprop"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe SDProp (Security Descriptor Propagator) process in Active Directory is crucial for maintaining the security of privileged accounts and groups. It compares permissions on protected objects with those defined on the AdminSDHolder object, resetting any discrepancies. Attackers can exploit the dsHeuristics attribute to exclude specific groups from this process, allowing them to manipulate the permissions of these groups without the changes being reverted by SDProp. This can lead to long-term persistence, even if the AdminSDHolder object is properly configured. The modification is identified via Windows Event ID 5136, specifically targeting changes to the dsHeuristics attribute. This attack matters because it allows attackers to maintain unauthorized access to sensitive resources within the Active Directory environment, potentially leading to further compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a privileged account capable of modifying Active Directory attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the AdminSDHolder object and the groups currently protected by SDProp.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the dsHeuristics attribute using tools like ADSI Edit or PowerShell to exclude specific privileged groups (e.g., Domain Admins) from SDProp. This involves manipulating the binary representation of the attribute value.\u003c/li\u003e\n\u003cli\u003eThe attacker makes unauthorized changes to the permissions, group memberships, or other security settings of the excluded groups.\u003c/li\u003e\n\u003cli\u003eSDProp no longer resets the permissions of the excluded groups to match the AdminSDHolder object, effectively preserving the attacker\u0026rsquo;s modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their persistent access to the compromised privileged accounts and groups to perform lateral movement, escalate privileges, and access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may create new accounts and add them to the excluded groups, granting them persistent access to the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or complete domain compromise, using the persistently compromised accounts and groups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to privileged accounts, even after security configurations are supposedly reset by SDProp. This persistence can lead to widespread damage, including complete domain compromise, data exfiltration, and ransomware deployment. The scope of the impact depends on the level of access granted to the compromised accounts. If Domain Admins are compromised, the entire Active Directory forest can be considered at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; and monitor Windows Security Event Logs for Event ID 5136 with \u003ccode\u003eAttributeLDAPDisplayName : \u0026quot;dSHeuristics\u0026quot;\u003c/code\u003e to detect modifications to the dsHeuristics attribute.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AdminSDHolder SDProp Exclusion Added\u0026rdquo; to your SIEM to detect suspicious modifications to the dsHeuristics attribute. Tune the rule based on your environment and known directory configuration workflows.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected modifications to the dsHeuristics attribute, focusing on the \u003ccode\u003ewinlog.event_data.OperationType\u003c/code\u003e and \u003ccode\u003ewinlog.event_data.AttributeValue\u003c/code\u003e fields to determine the nature of the change and the groups affected.\u003c/li\u003e\n\u003cli\u003eCorrelate Event ID 5136 with Event ID 4624 (An account was successfully logged on) using \u003ccode\u003ewinlog.event_data.SubjectLogonId\u003c/code\u003e to identify the source of the directory change.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configuration of the AdminSDHolder object and the dsHeuristics attribute to ensure that privileged groups are properly protected by SDProp.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:40:15Z","date_published":"2026-05-12T18:40:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-adminsdholder-sdprop-exclusion/","summary":"Modification of the dsHeuristics attribute to exclude groups from SDProp in Active Directory can allow attackers to maintain persistent access to privileged accounts.","title":"AdminSDHolder SDProp Exclusion Added","url":"https://feed.craftedsignal.io/briefs/2026-05-adminsdholder-sdprop-exclusion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["persistence","active directory","adminsdholder"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe AdminSDHolder object in Active Directory defines the default security permissions for highly privileged accounts and groups. The Security Descriptor Propagator (SDProp) process periodically compares the permissions of these protected objects with those defined on the AdminSDHolder object. If discrepancies are found, SDProp resets the permissions on the protected accounts and groups to match those of the AdminSDHolder, ensuring consistent security. Attackers can exploit this mechanism to establish a persistent backdoor by modifying the AdminSDHolder object with malicious permissions. Any changes to AdminSDHolder will be propagated to all protected accounts and groups, granting the attacker persistent administrative control over the domain. This technique allows attackers to regain administrative privileges even after password resets or other security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a privileged account with sufficient permissions to modify the AdminSDHolder object (e.g., Domain Admins).\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like ADSI Edit, PowerShell, or other Active Directory management tools to modify the AdminSDHolder object.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the nTSecurityDescriptor attribute on the AdminSDHolder object to include malicious ACEs (Access Control Entries) that grant unauthorized access to the attacker\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eSDProp automatically runs, typically every 60 minutes, comparing the permissions on protected accounts and groups with those defined on AdminSDHolder.\u003c/li\u003e\n\u003cli\u003eSDProp identifies discrepancies between the permissions on protected objects and the modified AdminSDHolder object.\u003c/li\u003e\n\u003cli\u003eSDProp resets the permissions on all protected accounts and groups to match those defined on the modified AdminSDHolder object.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s account is now granted persistent, unauthorized administrative privileges on all protected accounts and groups in the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained privileges to perform malicious activities such as data exfiltration, lateral movement, or establishing further persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent backdoor in the Active Directory environment. This grants them unauthorized administrative privileges over all protected accounts and groups, including Domain Admins, Enterprise Admins, and Schema Admins. The impact includes potential data breaches, complete domain compromise, and long-term persistence within the network. The attacker can maintain control even after password resets or other security measures are implemented.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate Windows Security Event ID 5136, which is necessary for detecting modifications to the AdminSDHolder object as indicated in the rule overview.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized modifications to the AdminSDHolder object via event code 5136. Tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eRegularly review and baseline the nTSecurityDescriptor attribute of the AdminSDHolder object. Any unexpected changes should be investigated immediately.\u003c/li\u003e\n\u003cli\u003eMonitor for Event ID 5136 events that correlate with changes to protected accounts and groups immediately after an AdminSDHolder modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:38:35Z","date_published":"2026-05-12T18:38:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-adminsdholder-backdoor/","summary":"Detects modifications to the AdminSDHolder object in Active Directory, which attackers can abuse via the SDProp process to implement a persistent backdoor by manipulating permissions on protected accounts and groups to regain administrative privileges.","title":"AdminSDHolder Backdoor via Active Directory Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-adminsdholder-backdoor/"}],"language":"en","title":"CraftedSignal Threat Feed — Adminsdholder","version":"https://jsonfeed.org/version/1.1"}