Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence

Response

Persistence response starts by identifying which trust material was abused. Password resets solve only account-secret persistence. They do not solve forged certificates, krbtgt compromise, AdminSDHolder ACLs, GPO tampering, SIDHistory, or ADFS token-signing compromise.

Kerberos ticket response

Get-ADUser krbtgt -Properties PasswordLastSet,msDS-KeyVersionNumber
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} | Select-Object -First 50 TimeCreated,Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Select-Object -First 50 TimeCreated,Message

Rotate krbtgt twice

$NewPassword = ConvertTo-SecureString ([Guid]::NewGuid().Guid + [Guid]::NewGuid().Guid) -AsPlainText -Force
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword $NewPassword
Get-ADUser krbtgt -Properties PasswordLastSet,msDS-KeyVersionNumber

Use the official Microsoft krbtgt rotation script or a controlled two-step reset process. Wait for replication and ticket lifetime boundaries between resets.

Shadow Credentials review

Get-ADObject -LDAPFilter "(msDS-KeyCredentialLink=*)" -Properties msDS-KeyCredentialLink,whenChanged |
  Select-Object Name,ObjectClass,DistinguishedName,whenChanged,msDS-KeyCredentialLink

DCSync rights review

$DomainDN = "DC=ootw,DC=local"
Get-ACL "AD:\$DomainDN" |
  Select-Object -ExpandProperty Access |
  Where-Object {
    $_.ObjectType -match "1131f6aa|1131f6ad|89e95b76" -or
    $_.ActiveDirectoryRights -match "ExtendedRight"
  } |
  Select-Object IdentityReference,ActiveDirectoryRights,ObjectType,IsInherited

AdminSDHolder review

Get-ACL "AD:\CN=AdminSDHolder,CN=System,DC=ootw,DC=local" |
  Select-Object -ExpandProperty Access |
  Select-Object IdentityReference,ActiveDirectoryRights,ObjectType,IsInherited

GPO review

Get-GPO -All | Sort-Object ModificationTime -Descending | Select-Object DisplayName,Id,Owner,ModificationTime
Get-GPInheritance -Target "DC=ootw,DC=local"
Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include *.xml,*.ps1,*.bat,*.vbs | Select-Object FullName,LastWriteTime

SIDHistory review

Get-ADObject -LDAPFilter "(sIDHistory=*)" -Properties sIDHistory,objectSid,sAMAccountName,whenChanged |
  Select-Object Name,ObjectClass,sAMAccountName,ObjectSid,SIDHistory,whenChanged

DSRM review

reg query HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior

Disable DSRM network logon

reg add HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior /t REG_DWORD /d 0 /f

Certificate persistence review

certutil -store my
certutil -view -restrict "Disposition=20" -out "RequestID,RequesterName,CertificateTemplate,NotBefore,NotAfter,SerialNumber"
certutil -enterprise -viewstore NTAuth

Golden SAML response

Import-Module ADFS
Get-AdfsCertificate
Get-AdfsRelyingPartyTrust
Get-AdfsProperties

Hardening

  • Protect Tier 0 systems and accounts separately from workstations.
  • Limit who can modify GPOs, GPO links, AdminSDHolder, domain root ACLs, and ADCS objects.
  • Monitor changes to msDS-KeyCredentialLink, servicePrincipalName, sIDHistory, privileged group membership, and replication rights.
  • Require strong service account secrets or gMSA.
  • Protect CA private keys and ADFS token-signing keys like domain compromise material.
  • Keep Domain Controllers off general administration paths.