The content in this post links to several methods through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes.
While there are an infinite number of actions an attacker can perform after compromising an enterprise, there are a finite number of pathways. In this series, I attempt to bring these methods out of the darkness and describe how the escalation, exploitation, persistence, and detection work. Yes, some of these may seem obvious – despite this, many organizations have these issues.
I presented on many of these AD persistence methods in Las Vegas at DEF CON 23 (2015) and DerbyCon V (2015) in Kentucky.
This post includes all of the “Sneaky Active Directory Persistence Tricks” posted on ADSecurity.org:
- Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)
- Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)
- Sneaky Active Directory Persistence #13: DSRMv2
- Sneaky Active Directory Persistence #14: SID History
- Sneaky Active Directory Persistence #15: AdminSDHolder
- Sneaky Active Directory Persistence #16: Computer Accounts & Domain Controller Silver Tickets
- Sneaky Active Directory Persistence #17: Group Policy
- Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting
Recent Comments