Adversaries may modify the AdminSDHolder to gain persistent access to privileged accounts by altering group membership and permissions in Active Directory. SOC teams should proactively hunt for these modifications in Azure Sentinel to detect potential long-term persistence mechanisms early.
KQL Query
SecurityEvent
| where EventID == 5136 and EventData contains "<Data Name=\"ObjectDN\">CN=AdminSDHolder,CN=System"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend Name = tostring(split(SubjectAccount, "\\")[1]), NTDomain = tostring(split(SubjectAccount, "\\")[0])
id: 52aec824-96c1-4a03-8e44-bb70532e6cea
name: AdminSDHolder Modifications
description: |
'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence.
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.
This query searches for the event id 5136 where the Object DN is AdminSDHolder.
Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1078
query: |
SecurityEvent
| where EventID == 5136 and EventData contains "<Data Name=\"ObjectDN\">CN=AdminSDHolder,CN=System"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend Name = tostring(split(SubjectAccount, "\\")[1]), NTDomain = tostring(split(SubjectAccount, "\\")[0])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: Name
- identifier: NTDomain
columnName: NTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Vasileios Paschalidis
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Task for User Group Sync
Description: A legitimate scheduled task runs to synchronize user groups with the AdminSDHolder to ensure proper permissions are applied.
Filter/Exclusion: Exclude events where the modification is initiated by a known system service or scheduled task (e.g., Microsoft\Windows\GroupPolicy\GroupPolicy or Task Scheduler task with a known name like UserGroupSync).
Scenario: Active Directory Replication
Description: During Active Directory replication, the AdminSDHolder may be modified as part of normal synchronization between domain controllers.
Filter/Exclusion: Exclude events originating from domain controllers (e.g., DC=example,DC=com in the distinguished name) or associated with replication services (e.g., NTDS or KCC).
Scenario: Admin Tool Configuration Change
Description: An administrator uses tools like ADSI Edit or LDIFDE to manually adjust the AdminSDHolder for troubleshooting or configuration purposes.
Filter/Exclusion: Exclude events where the user is a domain admin or has a known administrative tool in the command line (e.g., ADSI Edit or LDIFDE in the process name).
Scenario: Group Policy Object (GPO) Update
Description: A GPO update may trigger changes to the AdminSDHolder as part of applying group policy settings that affect security settings.
Filter/Exclusion: Exclude events where the modification is initiated by the Group Policy Client (e.g., gpsvc service or GPMC tool) or occurs during a known GPO update window.
Scenario: Security Software Configuration
Description: Security software such as Microsoft Defender for Identity or third-party tools may modify the AdminSDHolder as part of their configuration or remediation processes.
*Filter