How can defenders detect and remove malicious ACL modifications on the AdminSDHolder object?

Defenders should regularly query the ACL of the AdminSDHolder object using `Get-ObjectAcl -ADSprefix "CN=AdminSDHolder,CN=System"` via PowerView and check for suspicious users. If found, remove the ACL with `Remove-DomainObjectAcl` as shown in the article’s cleanup section. Monitoring changes to this object is crucial; also consider hardening other entry points like Penetration Techniques - Remote Registry in Windows.