https://feed.craftedsignal.io/tags/adminsdholder/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 18:40:15 +0000https://feed.craftedsignal.io/briefs/2026-05-adminsdholder-sdprop-exclusion/Tue, 12 May 2026 18:40:15 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-adminsdholder-sdprop-exclusion/Modification of the dsHeuristics attribute to exclude groups from SDProp in Active Directory can allow attackers to maintain persistent access to privileged accounts.The SDProp (Security Descriptor Propagator) process in Active Directory is crucial for maintaining the security of privileged accounts and groups. It compares permissions on protected objects with those defined on the AdminSDHolder object, resetting any discrepancies. Attackers can exploit the dsHeuristics attribute to exclude specific groups from this process, allowing them to manipulate the permissions of these groups without the changes being reverted by SDProp. This can lead to long-term persistence, even if the AdminSDHolder object is properly configured. The modification is identified via Windows Event ID 5136, specifically targeting changes to the dsHeuristics attribute. This attack matters because it allows attackers to maintain unauthorized access to sensitive resources within the Active Directory environment, potentially leading to further compromise and data breaches.

Attack Chain

1. The attacker gains initial access to a privileged account capable of modifying Active Directory attributes.
2. The attacker identifies the AdminSDHolder object and the groups currently protected by SDProp.
3. The attacker modifies the dsHeuristics attribute using tools like ADSI Edit or PowerShell to exclude specific privileged groups (e.g., Domain Admins) from SDProp. This involves manipulating the binary representation of the attribute value.
4. The attacker makes unauthorized changes to the permissions, group memberships, or other security settings of the excluded groups.
5. SDProp no longer resets the permissions of the excluded groups to match the AdminSDHolder object, effectively preserving the attacker’s modifications.
6. The attacker leverages their persistent access to the compromised privileged accounts and groups to perform lateral movement, escalate privileges, and access sensitive data.
7. The attacker may create new accounts and add them to the excluded groups, granting them persistent access to the domain.
8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or complete domain compromise, using the persistently compromised accounts and groups.

Impact

Successful exploitation allows attackers to maintain persistent access to privileged accounts, even after security configurations are supposedly reset by SDProp. This persistence can lead to widespread damage, including complete domain compromise, data exfiltration, and ransomware deployment. The scope of the impact depends on the level of access granted to the compromised accounts. If Domain Admins are compromised, the entire Active Directory forest can be considered at risk.

Recommendation

• Enable “Audit Directory Service Changes” and monitor Windows Security Event Logs for Event ID 5136 with AttributeLDAPDisplayName : "dSHeuristics" to detect modifications to the dsHeuristics attribute.
• Deploy the Sigma rule “AdminSDHolder SDProp Exclusion Added” to your SIEM to detect suspicious modifications to the dsHeuristics attribute. Tune the rule based on your environment and known directory configuration workflows.
• Investigate any detected modifications to the dsHeuristics attribute, focusing on the winlog.event_data.OperationType and winlog.event_data.AttributeValue fields to determine the nature of the change and the groups affected.
• Correlate Event ID 5136 with Event ID 4624 (An account was successfully logged on) using winlog.event_data.SubjectLogonId to identify the source of the directory change.
• Regularly review and validate the configuration of the AdminSDHolder object and the dsHeuristics attribute to ensure that privileged groups are properly protected by SDProp.

]]>highadvisoryactive-directorypersistenceadminsdholdersdprophttps://feed.craftedsignal.io/briefs/2026-05-adminsdholder-backdoor/Tue, 12 May 2026 18:38:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-adminsdholder-backdoor/Detects modifications to the AdminSDHolder object in Active Directory, which attackers can abuse via the SDProp process to implement a persistent backdoor by manipulating permissions on protected accounts and groups to regain administrative privileges.The AdminSDHolder object in Active Directory defines the default security permissions for highly privileged accounts and groups. The Security Descriptor Propagator (SDProp) process periodically compares the permissions of these protected objects with those defined on the AdminSDHolder object. If discrepancies are found, SDProp resets the permissions on the protected accounts and groups to match those of the AdminSDHolder, ensuring consistent security. Attackers can exploit this mechanism to establish a persistent backdoor by modifying the AdminSDHolder object with malicious permissions. Any changes to AdminSDHolder will be propagated to all protected accounts and groups, granting the attacker persistent administrative control over the domain. This technique allows attackers to regain administrative privileges even after password resets or other security measures.

Attack Chain

1. Attacker gains initial access to a privileged account with sufficient permissions to modify the AdminSDHolder object (e.g., Domain Admins).
2. The attacker uses tools like ADSI Edit, PowerShell, or other Active Directory management tools to modify the AdminSDHolder object.
3. The attacker modifies the nTSecurityDescriptor attribute on the AdminSDHolder object to include malicious ACEs (Access Control Entries) that grant unauthorized access to the attacker’s account.
4. SDProp automatically runs, typically every 60 minutes, comparing the permissions on protected accounts and groups with those defined on AdminSDHolder.
5. SDProp identifies discrepancies between the permissions on protected objects and the modified AdminSDHolder object.
6. SDProp resets the permissions on all protected accounts and groups to match those defined on the modified AdminSDHolder object.
7. The attacker’s account is now granted persistent, unauthorized administrative privileges on all protected accounts and groups in the domain.
8. The attacker leverages the gained privileges to perform malicious activities such as data exfiltration, lateral movement, or establishing further persistence.

Impact

Successful exploitation allows attackers to establish a persistent backdoor in the Active Directory environment. This grants them unauthorized administrative privileges over all protected accounts and groups, including Domain Admins, Enterprise Admins, and Schema Admins. The impact includes potential data breaches, complete domain compromise, and long-term persistence within the network. The attacker can maintain control even after password resets or other security measures are implemented.

Recommendation

• Enable “Audit Directory Service Changes” to generate Windows Security Event ID 5136, which is necessary for detecting modifications to the AdminSDHolder object as indicated in the rule overview.
• Deploy the provided Sigma rule to your SIEM to detect unauthorized modifications to the AdminSDHolder object via event code 5136. Tune the rule based on your environment to minimize false positives.
• Regularly review and baseline the nTSecurityDescriptor attribute of the AdminSDHolder object. Any unexpected changes should be investigated immediately.
• Monitor for Event ID 5136 events that correlate with changes to protected accounts and groups immediately after an AdminSDHolder modification.

]]>highadvisorypersistenceactive directoryadminsdholder