Domain Persistence Techniques

In today’s complex cybersecurity landscape, understanding domain persistence techniques is crucial for both offensive security professionals and defenders. This comprehensive guide explores advanced methods attackers use to maintain access to compromised domains and how security teams can detect and prevent these techniques.

Understanding Domain Persistence link

Domain persistence refers to the methods and techniques used to maintain long-term access to a compromised network environment after initial exploitation. In enterprise environments, these techniques often focus on Active Directory infrastructure, as it serves as the backbone of most corporate networks.

The Importance of Understanding Persistence Mechanisms link

Security professionals need to understand persistence mechanisms for two primary reasons:

• Defensive teams must know what to look for when hunting threats
• Red teams need to understand these techniques for realistic security assessments

Common Domain Persistence Techniques link

Golden Ticket Attack link

The Golden Ticket attack is one of the most powerful persistence techniques in Active Directory environments. It involves compromising the KRBTGT account, which is used to encrypt all Kerberos tickets within a domain.

To create a Golden Ticket:

  mimikatz # kerberos::golden /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:hash /user:admin /ptt
  

This creates a ticket that grants persistent domain admin access, often remaining valid even after password changes.

Silver Ticket Attack link

Similar to Golden Tickets, Silver Tickets are forged service tickets that provide access to specific services. They’re more subtle than Golden Tickets as they target individual services rather than domain-wide access.

Example implementation:

  mimikatz # kerberos::golden /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:server.contoso.local /service:CIFS /rc4:hash /user:admin /ptt
  

Domain Controller Synchronization link

Attackers often exploit Active Directory replication mechanisms to maintain persistence. By implementing a rogue domain controller, they can:

• Capture authentication attempts
• Modify directory objects
• Maintain access even after credential changes

Security Descriptor Modification link

This technique involves modifying Access Control Lists (ACLs) on critical objects to maintain privileged access:

  Add-ObjectAcl -TargetDistinguishedName "DC=contoso,DC=local" -PrincipalSamAccountName "compromised_user" -Rights DCSync
  

Advanced Persistence Mechanisms link

Shadow Credentials link

Shadow credentials leverage certificate-based authentication to maintain persistence. This technique involves:

• Creating a new certificate
• Adding it to the msDS-KeyCredentialLink attribute
• Using the certificate for authentication

Implementation example:

  Whisker.exe add /target:username /domain:contoso.local /dc:dc01.contoso.local /path:cert.pfx
  

DCShadow link

DCShadow is a sophisticated technique that temporarily registers a computer as a domain controller to push malicious changes:

  lsadump::dcshadow /object:target_account /attribute:userAccountControl /value:...
  

Detection and Prevention Strategies link

Monitoring Critical Changes link

Implement robust monitoring for:

• Changes to privileged groups
• Modifications to security descriptors
• New service principal names
• Certificate registration events

Event Log Monitoring link

Key Windows Event IDs to monitor:

• 4662 (Directory Service Access)
• 4742 (Computer Account Changes)
• 5136 (Directory Service Changes)

Advanced Detection Methods link

Implement advanced detection mechanisms:

  # PowerShell script to detect suspicious ACL changes
Get-ADObject -Filter * -Properties nTSecurityDescriptor | Where-Object {$_.nTSecurityDescriptor.Access.IdentityReference -match "suspicious_user"}
  

Mitigation Strategies link

Privileged Access Management link

• Implement time-based privileged access
• Use Protected Users group for sensitive accounts
• Enable Privileged Access Workstations (PAW)

Technical Controls link

Implement these critical controls:

  # Enable Advanced Audit Policy
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

# Configure KRBTGT password rotation
New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\Rotate-KRBTGTPassword.ps1'
  

Best Practices for Domain Security link

Regular Maintenance link

• Rotate KRBTGT password regularly
• Monitor and clean up stale objects
• Implement least privilege access

Advanced Hardening link

  # Enable LDAP signing and channel binding
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\NTDS\Parameters -Name "LdapEnforceChannelBinding" -Value 2
  

Conclusion link

Understanding domain persistence techniques is crucial for both attackers and defenders. By implementing proper monitoring, detection, and prevention strategies, organizations can better protect their Active Directory environments from sophisticated persistence attacks.

Remember that security is an ongoing process, and staying updated with the latest persistence techniques and countermeasures is essential for maintaining a robust security posture.