Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence

Matrix

TechniqueRequired controlPersistence objectMain toolAbuse resultRemoval
Golden Ticketkrbtgt hash or AES key and domain SIDForged TGTticketer.py, RubeusDomain authentication as arbitrary userRotate krbtgt twice and purge tickets
Diamond TicketLegitimate TGT plus krbtgt keyModified valid-looking TGTRubeusForged PAC inside a real TGT flowRotate krbtgt, investigate source account
Golden CertificateCA private keyForged certificatecertipy, Certify, RubeusPKINIT or Schannel auth as arbitrary principalRebuild or rotate CA trust, revoke where possible
Golden SAMLADFS token-signing keyForged SAML tokenADFSpoofFederated access as arbitrary userRotate ADFS token-signing certs and review relying parties
Shadow CredentialsWrite access to msDS-KeyCredentialLinkPublic key credential linkcertipy, pyWhiskerPKINIT as target accountRemove exact key credential blob
DCSync rightsWriteDACL or equivalent on domain rootReplication rights ACEsPowerView, bloodyADDump domain secrets later as low-privileged accountRemove replication ACEs and rotate exposed secrets
AdminSDHolderWriteDACL on AdminSDHolderProtected ACL templatePowerViewACE propagates to protected adminsRestore AdminSDHolder ACL and protected object ACLs
GPO persistenceControl of GPO or GPO linkGPO files and AD GPO objectpyGPOAbuse, PowerShellCode or group membership on linked machinesRemove GPO changes, unlink or delete GPO
SIDHistoryDA-level or migration-level controlsIDHistory attributemimikatz, migration toolingHidden authorization through old privileged SIDRemove SIDHistory and audit migration process
DSRMDC local admin or DA on DCDSRM password and logon behaviorntdsutil, registryLocal DC admin authentication pathReset DSRM password and disable network logon
Skeleton KeyCode execution as SYSTEM on DCLSASS memory patchmimikatzMaster password works for domain users until rebootReboot DCs, investigate LSASS compromise

Decision matrix

SituationBest persistence family
We dumped krbtgtGolden or Diamond Ticket
We dumped one service account hashMove to service principal abuse and forge or request tickets for that SPN
We compromised the CA private keyGolden Certificate
We can write one target account attributeShadow Credentials
We can write the domain root DACLDCSync rights for a controlled account
We can write AdminSDHolderACL persistence over protected admin objects
We can modify a linked GPOGPO scheduled task, startup script, or local group membership
We have DC-local control but want a non-domain credential pathDSRM
We compromised ADFS signing materialGolden SAML

Response matrix

FindingImmediate action
Forged Kerberos ticket suspectedReview 4768 and 4769 anomalies, reset affected keys, rotate krbtgt twice if needed
Unknown certificate authenticationReview CA logs, issued certs, NTAuth trust, and CA private key exposure
msDS-KeyCredentialLink unknown blobExport current blobs, remove unauthorized entries, reset target password if required
Unexpected replication ACERemove ACE, DCSync hunt, rotate accounts exposed through NTDS dump
AdminSDHolder modifiedRestore AdminSDHolder security descriptor and force SDProp review
GPO modifiedDiff SYSVOL and AD GPO metadata, remove task/script/preference, force policy refresh
SIDHistory present unexpectedlyRemove attribute only after migration impact review, investigate source of change
DSRM network logon enabledDisable DsrmAdminLogonBehavior, reset DSRM password