Skip to main content
Support
AdvancedT1098

AD Persistence Techniques

After achieving domain compromise, attackers embed themselves so deeply that even a password reset across the entire domain may not be enough to evict them.

Once an attacker has gained control of an Active Directory domain — typically through a DCSync attack to harvest all password hashes — their next priority is making sure they can get back in even if the defenders discover the breach. AD persistence techniques are methods for maintaining long-term access. These include forging Kerberos tickets (Golden Tickets), modifying security settings that automatically re-grant admin access (AdminSDHolder), injecting hidden privileges into user accounts (SID History), planting master passwords on Domain Controllers (Skeleton Key), and registering rogue Domain Controllers that push malicious changes (DCShadow). A thorough attacker might deploy five or more persistence methods simultaneously.

Imagine a spy infiltrates a country's government. Before they could be discovered, they plant sleeper agents in ten different departments, hide copies of the master key in multiple safe deposit boxes, and bribe officials to ensure their agents keep getting promotions. Even if the spy is caught, the network persists. AD persistence works the same way: attackers implant multiple independent backdoors throughout Active Directory so that even if one is found, others survive.

Try It Yourself

Key Takeaways

  1. Sophisticated attackers deploy multiple persistence techniques simultaneously to survive remediation.
  2. AdminSDHolder modification is one of the stealthiest — it silently re-grants admin rights every 60 minutes.
  3. SID History injection hides Domain Admin privileges inside a normal-looking user account.
  4. DCShadow pushes malicious changes via replication, bypassing standard audit logging.
  5. Shadow Credentials (msDS-KeyCredentialLink modification) provides stealthy persistence by allowing PKINIT-based authentication without changing passwords.
  6. Full AD recovery after compromise requires changing KRBTGT (twice), auditing all ACLs, checking SID History, KeyCredentialLink entries, and rebuilding DCs.
Why Should I Care?

Persistence is what separates a temporary intrusion from a permanent one. Understanding these techniques is critical for both red teamers who need to maintain access and blue teamers who need to ensure complete eviction after a breach.

Defense Recommendations

Comprehensive AD recovery requires KRBTGT rotation, ACL auditing, SID History cleanup, DC rebuilds, and continuous monitoring of privileged object changes.

  1. 1Rotate KRBTGT password twice (12-24 hour gap) to invalidate all Golden Tickets.
  2. 2Audit AdminSDHolder ACL: (Get-Acl "AD:\CN=AdminSDHolder,CN=System,DC=corp,DC=local").Access — remove any unexpected ACEs.
  3. 3Scan for SID History anomalies: Get-ADUser -Filter {sidHistory -like "*"} -Properties sidHistory | Where sidHistory.Count -gt 0.
  4. 4Audit all GPOs for unexpected scheduled tasks, scripts, or registry modifications.
  5. 5Rebuild DCs from clean media rather than trying to clean compromised ones — Skeleton Key and DCShadow leave no persistent artifacts on disk.
  6. 6Audit and rotate the CA private key if AD CS was in scope during the compromise.
  7. 7Reset DSRM passwords on all DCs and verify DsrmAdminLogonBehavior is set to 0.
  8. 8Deploy continuous monitoring for Event IDs 5136 (object modifications), 4929 (replication), 4765/4766 (SID History), and 7045 (new services).

Related Topics

Golden & Silver Ticket AttacksDCSync AttackKerberos Delegation AbuseGolden SAML & Federation Attacks
Sources
Golden & Silver Ticket Attacks
ACL/ACE Abuse Attack Paths
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org