{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sdprop/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["active-directory","persistence","adminsdholder","sdprop"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe SDProp (Security Descriptor Propagator) process in Active Directory is crucial for maintaining the security of privileged accounts and groups. It compares permissions on protected objects with those defined on the AdminSDHolder object, resetting any discrepancies. Attackers can exploit the dsHeuristics attribute to exclude specific groups from this process, allowing them to manipulate the permissions of these groups without the changes being reverted by SDProp. This can lead to long-term persistence, even if the AdminSDHolder object is properly configured. The modification is identified via Windows Event ID 5136, specifically targeting changes to the dsHeuristics attribute. This attack matters because it allows attackers to maintain unauthorized access to sensitive resources within the Active Directory environment, potentially leading to further compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a privileged account capable of modifying Active Directory attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the AdminSDHolder object and the groups currently protected by SDProp.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the dsHeuristics attribute using tools like ADSI Edit or PowerShell to exclude specific privileged groups (e.g., Domain Admins) from SDProp. This involves manipulating the binary representation of the attribute value.\u003c/li\u003e\n\u003cli\u003eThe attacker makes unauthorized changes to the permissions, group memberships, or other security settings of the excluded groups.\u003c/li\u003e\n\u003cli\u003eSDProp no longer resets the permissions of the excluded groups to match the AdminSDHolder object, effectively preserving the attacker\u0026rsquo;s modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their persistent access to the compromised privileged accounts and groups to perform lateral movement, escalate privileges, and access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may create new accounts and add them to the excluded groups, granting them persistent access to the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or complete domain compromise, using the persistently compromised accounts and groups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to privileged accounts, even after security configurations are supposedly reset by SDProp. This persistence can lead to widespread damage, including complete domain compromise, data exfiltration, and ransomware deployment. The scope of the impact depends on the level of access granted to the compromised accounts. If Domain Admins are compromised, the entire Active Directory forest can be considered at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; and monitor Windows Security Event Logs for Event ID 5136 with \u003ccode\u003eAttributeLDAPDisplayName : \u0026quot;dSHeuristics\u0026quot;\u003c/code\u003e to detect modifications to the dsHeuristics attribute.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AdminSDHolder SDProp Exclusion Added\u0026rdquo; to your SIEM to detect suspicious modifications to the dsHeuristics attribute. Tune the rule based on your environment and known directory configuration workflows.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected modifications to the dsHeuristics attribute, focusing on the \u003ccode\u003ewinlog.event_data.OperationType\u003c/code\u003e and \u003ccode\u003ewinlog.event_data.AttributeValue\u003c/code\u003e fields to determine the nature of the change and the groups affected.\u003c/li\u003e\n\u003cli\u003eCorrelate Event ID 5136 with Event ID 4624 (An account was successfully logged on) using \u003ccode\u003ewinlog.event_data.SubjectLogonId\u003c/code\u003e to identify the source of the directory change.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configuration of the AdminSDHolder object and the dsHeuristics attribute to ensure that privileged groups are properly protected by SDProp.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:40:15Z","date_published":"2026-05-12T18:40:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-adminsdholder-sdprop-exclusion/","summary":"Modification of the dsHeuristics attribute to exclude groups from SDProp in Active Directory can allow attackers to maintain persistent access to privileged accounts.","title":"AdminSDHolder SDProp Exclusion Added","url":"https://feed.craftedsignal.io/briefs/2026-05-adminsdholder-sdprop-exclusion/"}],"language":"en","title":"CraftedSignal Threat Feed — Sdprop","version":"https://jsonfeed.org/version/1.1"}