Domain Persistence and Control

Domain Persistence and Control

Golden Ticket attacks forge Kerberos Ticket Granting Tickets (TGTs) providing domain-wide access. With the krbtgt account hash, attackers create tickets for any user including non-existent accounts. Golden tickets survive password changes (except krbtgt) and provide persistent domain access. While powerful, golden tickets require careful crafting to avoid detection through anomaly analysis.

Silver Tickets forge service tickets for specific resources without contacting domain controllers. Using service account hashes, attackers create tickets accessing individual services. Silver tickets provide stealthier persistence than golden tickets by avoiding DC communication. Common targets include CIFS for file access, HOST for scheduled tasks, and HTTP for web services.

DCShadow attacks temporarily register rogue domain controllers to inject changes directly into AD. This advanced technique modifies AD objects including adding users to privileged groups or changing passwords. DCShadow requires high privileges but provides stealthy modifications appearing as legitimate replication. Understanding DCShadow demonstrates advanced AD internals knowledge.

ACL abuse leverages AD permissions for persistence and privilege escalation. Excessive permissions like GenericAll, WriteDACL, or WriteOwner enable object manipulation. Adding users to groups, resetting passwords, or granting additional permissions maintains access. These modifications often survive incident response focusing on malware removal rather than permission auditing.