Query Details
RULE 08 AD Admin SD Holder Backdoor
Query
// =========================================================
// RULE-08 | AD-AdminSDHolder-Backdoor
// Description : AdminSDHolder ACL backdoor detection —
// Event 5136 modifying the ntSecurityDescriptor
// (DACL) on the CN=AdminSDHolder,CN=System
// object.
// The SDProp process runs every 60 minutes and
// copies the AdminSDHolder ACL to ALL protected
// group and user objects (Domain Admins,
// Enterprise Admins, Backup Operators, etc.).
// Any ACE added here is "self-healing"
// persistence: even if defenders remove the
// attacker's ACE from Domain Admins, SDProp
// restores it from AdminSDHolder within 60 min.
// Severity : Critical (any modification)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1098 — Account Manipulation
// T1207 — Rogue Domain Controller
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
// Known AdminSDHolder DN patterns
let AdminSDHolderPatterns = dynamic([
"CN=AdminSDHolder,CN=System",
"adminsdholder"
]);
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 5136 // DS Object Modified
| where ObjectDN has_any (AdminSDHolderPatterns)
or (ObjectClass =~ "container"
and ObjectDN has "CN=System"
and toLower(ObjectDN) has "adminsdholder")
| extend
ActorAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
TargetObject = ObjectDN,
ModifiedAttrib = AttributeLDAPDisplayName,
OperationDesc = case(
OperationType == "%%14674", "Attribute Written",
OperationType == "%%14675", "Attribute Deleted",
OperationType == "%%14676", "Attribute Added",
OperationType
)
| extend
Severity = "Critical",
WhySuspicious = strcat(
"AdminSDHolder_DACL_Modified; ",
"SDProp_will_propagate_to_all_protected_groups_in_60min; ",
"Actor: ", SubjectUserName, "; ",
"Operation: ", OperationDesc, "; ",
"Attribute: ", ModifiedAttrib
)
| project
TimeGenerated,
Severity,
WhySuspicious,
ActorAccount,
TargetObject,
ModifiedAttrib,
OperationDesc,
Computer,
SubjectUserName,
SubjectDomainName
| order by TimeGenerated desc
Explanation
This query is designed to detect potential security threats related to unauthorized modifications of the AdminSDHolder object in Active Directory. Here's a simplified explanation:
-
Purpose: The query aims to identify any changes made to the security descriptor (DACL) of the AdminSDHolder object, which is critical because these changes can propagate to all protected groups and user objects, such as Domain Admins and Enterprise Admins, within 60 minutes. This could allow an attacker to maintain persistent access even if their permissions are removed elsewhere.
-
Severity: Any modification detected is considered critical due to the potential impact on security.
-
Frequency: The query runs every 15 minutes and looks back at the last 15 minutes of data to ensure timely detection.
-
Data Source: It analyzes security events, specifically those with Event ID 5136, which indicates a directory service object modification.
-
Detection Logic:
- It filters events to find modifications related to the AdminSDHolder object.
- It checks if the object distinguished name (DN) matches known patterns for AdminSDHolder.
- It identifies the user who made the change and the nature of the modification (e.g., attribute written, deleted, or added).
-
Output: The query produces a list of suspicious activities, detailing when the modification occurred, the severity, why it's suspicious, who made the change, what was changed, and on which computer.
-
MITRE ATT&CK Techniques: The query relates to techniques T1098 (Account Manipulation) and T1207 (Rogue Domain Controller), indicating potential methods an attacker might use to exploit these changes.
In summary, this query helps security teams monitor and respond to unauthorized changes to critical security settings in Active Directory, which could otherwise lead to persistent unauthorized access.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators