Sneaky Active Directory Persistence Tricks

The content in this post links to several methods through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes.

While there are an infinite number of actions an attacker can perform after compromising an enterprise, there are a finite number of pathways. In this series, I attempt to bring these methods out of the darkness and describe how the escalation, exploitation, persistence, and detection work. Yes, some of these may seem obvious – despite this, many organizations have these issues.

I presented on many of these AD persistence methods in Las Vegas at DEF CON 23 (2015) and DerbyCon V (2015) in Kentucky.

This post includes all of the “Sneaky Active Directory Persistence Tricks” posted on



(Visited 33,189 times, 7 visits today)