The 'AdminSDHolder Backdoor' detection rule identifies unauthorized modifications to the AdminSDHolder object in Active Directory, a target for attackers seeking to maintain persistent administrative access. The SDProp (Security Descriptor Propagator) process is responsible for resetting permission discrepancies for protected accounts, thus making the AdminSDHolder a strategic vector for attackers to exploit. This rule triggers alerts when specific event codes (5136) related to changes in the AdminSDHolder's permissions are detected, enabling security teams to respond to potential threats quickly. It outlines investigation steps to confirm unauthorized changes, assess user account activities, and identify any anomalies in permissions aligning with organizational security policies. Additionally, it discusses false positives related to routine administrative practice and emphasizes proactive response strategies, including isolation of affected systems and restoration of original permissions to mitigate risks of privilege escalation.