PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 11 min read

Active Directory ACL Backdoor Detection: How to Find and Remove Dangerous Permissions Before an Attacker Uses Them

Every 60 min
Frequency SDProp runs, propagating AdminSDHolder ACL to protected objects
4
Dangerous AD permissions: GenericAll, WriteDACL, DCSync extended rights, GenericWrite
Event 5136
Windows event ID for AD object modification -- key for ACL change alerting

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Active Directory privilege escalation via ACL abuse is a documented and heavily used attacker technique. BloodHound was built specifically to visualize ACL-based attack paths. After an attacker gets temporary domain admin (from a single compromised admin account, for example), adding a backdoor ACE takes seconds and is not visible in any group membership audit. The ACE sits on the object forever, waiting. This guide covers how to enumerate dangerous ACEs on high-value AD objects, how to audit the AdminSDHolder for backdoored permissions, and how to use BloodHound to find the escalation paths an attacker could use today.

Most Dangerous ACEs to Hunt

Not all ACEs are equally dangerous. Focus the audit on these specific rights on high-value objects: GenericAll on any user, group, or computer object -- grants complete control, including password resets and attribute modification. GenericWrite on User or Computer objects -- allows modification of attributes including setting a ServicePrincipalName (enabling Kerberoasting) or a msDS-KeyCredentialLink (enabling shadow credentials attack). WriteDACL on an OU, domain, or high-value group -- allows adding further ACEs, meaning the holder can grant themselves any other permission. WriteOwner on a domain or OU -- allows taking ownership, which implicitly grants WriteDACL. DCSync extended rights on the Domain object: Replicating Directory Changes and Replicating Directory Changes All together allow an account to request domain replication. Any non-DC account with these two rights can run Mimikatz DCSync and extract all domain credential hashes without logging into any DC. ForceChangePassword on any user object -- allows resetting a user's password without knowing the current password.

Enumerate Dangerous ACEs with PowerView

PowerView (from PowerSploit) provides the most granular ACL enumeration for on-premises AD. Import-Module PowerView, then: Get-ObjectAcl -SamAccountName 'Domain Admins' -ResolveGUIDs | Where-Object { $_.ActiveDirectoryRights -match 'GenericAll|GenericWrite|WriteDACL|WriteOwner' } | Select-Object SecurityIdentifier, ActiveDirectoryRights, ObjectType. Run the same query against: the Domain object itself, the AdminSDHolder object (CN=AdminSDHolder,CN=System), high-value groups (Domain Admins, Schema Admins, Enterprise Admins, Account Operators), and key OUs that contain privileged systems. For DCSync rights specifically: Get-ObjectAcl on the domain distinguished name with ResolveGUIDs, then filter where ObjectType matches DS-Replication-Get-Changes. Compare any non-DC accounts in that output -- domain controllers are expected to have replication rights; standard user accounts should not.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Use BloodHound for Attack Path Visualization

PowerView gives you raw ACE data; BloodHound translates it into attack paths. Deploy BloodHound Community Edition: SharpHound collector (run on a domain member as a standard domain user -- it collects ACL data without requiring admin rights), ingest the output into the BloodHound Neo4j database, and query for dangerous paths. Key BloodHound queries: 'Find Principals with DCSync Rights' -- all non-DC objects with Replicating Directory Changes All. 'Find Shortest Paths to Domain Admins' -- shows all paths that could lead to Domain Admin from a standard user, including ACL-based escalations. 'Shortest Paths from Kerberoastable Users' -- identifies Kerberoastable accounts with downstream access to privileged objects. Review the results not just for your own findings but for what an attacker running SharpHound with a compromised standard user account would see -- any path BloodHound shows from a standard user to Domain Admin is a path attackers will also see and use.

Audit the AdminSDHolder

AdminSDHolder (CN=AdminSDHolder,CN=System) is an AD object whose ACL serves as the template for ACLs on all protected objects (Domain Admins, Account Operators, Server Operators, and about 19 other groups). Every 60 minutes, a process called SDProp runs and copies the AdminSDHolder ACL to all protected objects, overwriting any changes. This means: if an attacker adds an ACE to AdminSDHolder, that ACE propagates to every privileged group and account in the domain every hour, automatically and silently. Auditing: Get-ObjectAcl -SamAccountName 'AdminSDHolder' -ResolveGUIDs | Where-Object { $_.SecurityIdentifier -notmatch '^S-1-5-32|^S-1-5-18|^S-1-5-9' } | Select-Object SecurityIdentifier, ActiveDirectoryRights. The legitimate accounts on AdminSDHolder are: SYSTEM, Domain Admins, Enterprise Admins, Administrators, and domain controllers (S-1-5-9). Any other SID with write rights should be investigated immediately.

Remediation and Monitoring

To remove a dangerous ACE: in Active Directory Users and Computers with Advanced Features enabled, right-click the object, select Properties > Security > Advanced. Find the ACE by the account name (resolve SIDs first with Get-ADUser -Identity S-1-5-...). Remove the specific ACE. Confirm removal by re-running the PowerView query. For AdminSDHolder specifically, SDProp will re-apply the AdminSDHolder ACL within 60 minutes -- if a backdoor ACE was on AdminSDHolder, removing the ACE from AdminSDHolder will cause SDProp to remove it from all protected objects automatically on the next run. For ongoing monitoring: enable DS Access auditing via the Default Domain Controllers Policy (Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy > DS Access > Audit Directory Service Changes = Success). Event ID 5136 (A directory service object was modified) will log ACL changes. Alert on: any modification to the AdminSDHolder ACL, any addition of Replicating Directory Changes rights, and any GenericAll or WriteDACL grant on high-value objects.

The bottom line

ACL backdoors are the persistence mechanism of choice for sophisticated AD attackers because they are invisible to group membership audits and survive account renames and decommissions. Run BloodHound quarterly, audit AdminSDHolder monthly, and set up Event ID 5136 alerts on your highest-value AD objects. If you have experienced a domain compromise or suspect one, auditing AdminSDHolder and DCSync rights is step one.

Frequently asked questions

What is the difference between an ACL audit and a BloodHound run?

A BloodHound run is a form of ACL audit that prioritizes identifying exploitable attack paths over comprehensive ACL inventory. BloodHound shows you which ACEs create paths to privilege escalation. A manual ACL audit with PowerView shows you all ACEs, including those that are legitimate but noteworthy, and is necessary for building a baseline. Use both: BloodHound for attacker-perspective risk assessment, PowerView for detailed per-object ACL review.

Can an attacker run BloodHound with a standard domain user account?

Yes. SharpHound's default collection method (domain user, no elevation required) is sufficient to collect ACL data for all AD objects -- standard domain users can read the security descriptor of any object in AD by default. This is by design in Active Directory's information model. The implication: any attacker with a single compromised domain account can enumerate all ACL-based attack paths. The attack paths BloodHound reveals are visible to any attacker on your network.

How do I know if AdminSDHolder has been tampered with?

Compare the current ACL against a documented baseline. If you do not have a baseline, compare against a known-clean reference: the default AdminSDHolder ACL in a fresh Windows Server AD installation includes only SYSTEM, Domain Admins, Enterprise Admins, Administrators, and domain controllers with specific rights. Any additional accounts with write rights are anomalous. For forensic investigation, check the AD object's whenChanged attribute and the Event ID 5136 logs for the AdminSDHolder CN to find when the change was made.

What if the attacker account that added the ACE was deleted?

The ACE remains on the object even after the account is deleted. It becomes an orphaned ACE with only the SID visible (the account name cannot be resolved because the account no longer exists). When reviewing ACLs, any SID that fails to resolve to an account name is suspicious -- it may be a deleted attacker account that still holds rights. Remove orphaned ACEs from all high-value objects as part of your cleanup.

What BloodHound attack path indicates the highest urgency for remediation?

Any path from a compromised workstation or low-privilege account that leads to Domain Admin in 3 hops or fewer is critical priority. The most dangerous short paths: a standard user account that is a local admin on a Tier 0 server (one hop to credential access, one hop to Domain Admin), an account with GenericAll or WriteDACL on a Group that contains Domain Admins (modify the group membership, one hop to DA), and a machine account with replication rights (DCSync, one hop to all domain credentials). Run BloodHound's built-in 'Shortest Paths to Domain Admins' query filtered to non-admin accounts. Any result returned is a critical remediation item.

How do I permanently remediate AD ACL backdoors after removing them?

Removing a backdoor ACE stops the immediate threat but does not prevent re-introduction. Permanent remediation requires addressing the root cause: how was the ACE added in the first place? If the attacker added it after a compromise, your incident response must include full scope analysis -- assume any account that was compromised may have modified ACLs on objects it had write access to, and audit ACLs for all those objects. For prevention: enable AD auditing for 'Write ACL' events (Success and Failure) on all domain objects including AdminSDHolder -- Event ID 4662 with GUID matching the DACL property is generated for ACL changes. Collect these events in your SIEM and alert when ACLs are modified on Tier 0 objects (Domain Admins group, AdminSDHolder, Domain controllers OU, domain object). Consider deploying BloodHound Community Edition (the free version) on a schedule to run weekly collection and alert when new short attack paths to Domain Admin appear that were not present in the previous collection.

Sources & references

  1. BloodHound Community Edition Documentation
  2. Microsoft: AdminSDHolder and SDProp

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.