During an offensive operation, adversaries need to maintain their access to the target environment. Various activities such as reboots and changing users’ passwords can disrupt the operation’s flow. To overcome interruptions, there are techniques that allow us to achieve persistence. In this chapter, we will not cover host persistence techniques on Windows workstations and servers. Instead, we will focus our attention on domain-level persistence and techniques specific to domain controllers only. Our first topic is the most famous jewelry tickets (golden, silver, diamond, and sapphire). We will discuss the differences between them and demonstrate their practical usage with OpSec considerations. Other domain-level persistence topics, such as adding to a SID History attribute and an AdminSDHolder domain object ACL and DACL manipulation, and delegation privilege abuse, will be explained and illustrated with practical examples. We will close the...

In this chapter, you will need to have the following:

• VMware Workstation or Oracle VM VirtualBox with at least 16 GB of RAM, 8 CPU cores, and at least 55 GB of total space (more if you take snapshots)
• A Linux-based operating system is strongly recommended
• Vagrant installed with a plugin for the corresponding virtualization platform and Ansible
• From the GOADv2 project, we will use DC01, SRV01, DC03, and SRV03 virtual machines

In this section, we will discuss various ways to achieve domain-level persistence. These techniques require high privileges equivalent to Domain Administrator. The most obvious way to achieve persistence in the target environment is to create and/or add compromised user or computer accounts to a highly privileged group. However, we will focus on more sophisticated techniques. Also, we will not discuss Group Policy abuse and targeted Kerberoasting from a persistence perspective, as the exploitation will be exactly the same as the examples from Chapter 6, only with a focus on privileged accounts. In the following techniques, we will rely either on privileged but rarely changed credential material (for example, the hash of a krbtgt account) or on attributes and ACL manipulations.

Forged tickets

We will start our journey with forged tickets – the types, their creation, their usage, and OpSec recommendations on how to stay under the radar. One important theoretical...

The domain controller in a Windows environment remains one of the key objectives for malicious actors during their campaigns. If an adversary has compromised the domain controller and established persistence, it is possible to regain domain-wide administrative privileges in a matter of minutes. Techniques in this section utilize credential manipulation and authentication mechanism alteration. At the end of this section, we will explain the concept of security descriptors and how attackers can modify them to maintain privileged access in an environment.

Skeleton Key

A Skeleton Key attack is a persistence method on a domain controller that sets a master password in the domain, allowing an adversary to authenticate as any domain user. However, to avoid early detection, an installed backdoor module allows users to continue to log in with their existing passwords as well. For Kerberos authentication to work, encryption downgrade to RC4_HMAC_MD5 is enforced...

In conclusion, there are many ways for attackers to achieve persistence in compromised environments. This can be achieved at a domain level or by accessing a domain controller. We saw how powerful forged tickets are and how difficult is to detect their usage if an adversary follows OpSec recommendations. We also explored various ACL and attribute modifications. As usual, the devil is in the details, and in a complex environment, detection of such techniques can be tricky. We saw DCShadow and Golden gMSA attacks in practice. We dived deep into the topic of domain controller persistence, showing ways to collect clear-text passwords. Finally, we discussed security descriptors and possible ways to backdoor a system.

In the following chapter, we will focus on attacking AD Certificate Services, which is a privileged target in the Windows environment.

1. A comment about the November 2021 update: https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/silver
2. PAC requestor and Golden Ticket attacks: https://www.varonis.com/blog/pac_requestor-and-golden-ticket-attacks
3. Detect malicious activity by checking checksums and ticket times: https://www.trustedsec.com/blog/red-vs-blue-kerberos-ticket-times-checksums-and-you/
4. The WonkaVision tool: https://github.com/0xe7/WonkaVision
5. Inserting SID History: https://www.thehacker.recipes/ad/persistence/sid-history
6. ServerUntrustAccount: https://github.com/STEALTHbits/ServerUntrustAccount
7. DCShadow script: https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1
8. The GoldenGMSA tool: https://github.com/Semperis/GoldenGMSA
9. A remote Skeleton Key attack: https://adsecurity.org/?p=1275
10. ACE explained: https://helgeklein.com/blog/permissions-a-primer-or-dacl-sacl-owner-sid-and-ace-explained/