Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence

Information

Persistence in Active Directory is about keeping a reusable path back into the domain after the first compromise. We are not only talking about malware on one workstation. AD persistence often lives in trust material, Kerberos keys, certificate authorities, directory ACLs, GPOs, service accounts, DNS, and privileged attributes.

The practical split is simple. Ticket persistence abuses Kerberos secrets such as krbtgt or service account keys. Certificate persistence abuses ADCS trust material. Directory persistence abuses AD object permissions and attributes. Policy persistence abuses GPOs and SYSVOL. Local-at-scale persistence uses AD administration paths to push scheduled tasks, services, logon scripts, or WMI subscriptions across machines.

Tools used in this section include Impacket, Rubeus, Mimikatz, Certipy, Certify, PKINITtools, pyWhisker, bloodyAD, PowerView, pyGPOAbuse, ADFSpoof, and NetExec

Persistence families

  • Kerberos key material: Golden Ticket and Diamond Ticket.
  • Certificate trust material: Golden Certificate, long-lived enrollment abuse, PassTheCert.
  • Directory object control: Shadow Credentials, DCSync rights, AdminSDHolder ACLs, SIDHistory.
  • Policy control: GPO immediate tasks, startup scripts, local group membership, scheduled tasks.
  • DC-local control: DSRM password and Skeleton Key.
  • Federation trust: Golden SAML when ADFS token-signing material is compromised.