Just recorded another video of me demonstrating some Backdooring techniques for Persistence. Assuming that we have Domain Admin access already, we need to find a way to maintain that persistence. We are abusing a feature called AdminSDHolder / SDPropergator which is a protection on Windows Servers to protect tampering of ACLS on Protected groups.
Every 60 minutes, SDPropergator will run, which will reset all the protected groups ACLs to default. However, SDPropergator runs on the AdminSDHolder container, which has its own ACLs. To abuse this, we simply add ourselves with All Rights to the AdminSDHolder ACL, wait for 60 mins (or in our case, push it). When Replication has been completed, we are now a member of ALL protected groups!
Click on this link to view a demonstration of Backdooring AdminSDHolder