https://az0th.it/tags/persistence/ Recent content in Persistence on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/kali/persistence/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/kali/persistence/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Requirement</th> <th>Detection Risk</th> </tr> </thead> <tbody> <tr> <td>DCSync</td> <td>Domain Admin or explicit replication rights</td> <td>High — replication request from non-DC</td> </tr> <tr> <td>Golden Ticket</td> <td>krbtgt NTLM + AES256 hash, domain SID</td> <td>Medium — no TGT event (4768) on DC</td> </tr> <tr> <td>Silver Ticket</td> <td>Service account NTLM hash, domain SID, SPN</td> <td>Low — no DC contact at all</td> </tr> <tr> <td>Diamond Ticket</td> <td>krbtgt AES256, valid user credentials</td> <td>Low — based on a real TGT</td> </tr> <tr> <td>NTDS.dit VSS</td> <td>Shell on DC, local admin</td> <td>High — shadow copy creation event</td> </tr> <tr> <td>DPAPI Backup Key</td> <td>Domain Admin, DC access</td> <td>Medium — LDAP/RPC request to DC</td> </tr> <tr> <td>ACL-based (DCSync rights)</td> <td>WriteDACL or GenericAll on domain root</td> <td>Low — ACL change may not alert</td> </tr> <tr> <td>Machine Account creation</td> <td>Any user with MachineAccountQuota &gt; 0</td> <td>Low</td> </tr> <tr> <td>Pass-the-Hash persistence</td> <td>Local admin hash, no domain rights needed</td> <td>Low — appears as normal auth</td> </tr> </tbody> </table> <hr> <h2 id="dcsync">DCSync</h2> <h3 id="what-it-is">What It Is</h3> <p>DCSync abuses the <strong>Directory Replication Service (DRS)</strong> protocol. Domain controllers use DRS to replicate directory data between themselves. The <code>GetNCChanges</code> function is the core RPC call used. Any account with the following rights on the domain root object can invoke this:</p> https://az0th.it/ad/windows/persistence/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/persistence/ Domain persistence techniques after AD compromise: Golden/Silver/Diamond Tickets, DCSync backdoors, AdminSDHolder, ACL abuse, WMI subscriptions, and DPAPI backup keys. https://az0th.it/ad/windows/gpo-abuse/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/gpo-abuse/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Requirement</th> <th>Effect</th> </tr> </thead> <tbody> <tr> <td>Immediate Scheduled Task</td> <td>SharpGPOAbuse</td> <td>Write on GPO</td> <td>Code exec as SYSTEM on all linked machines</td> </tr> <tr> <td>Restricted Groups</td> <td>SharpGPOAbuse</td> <td>Write on GPO</td> <td>Add attacker to local Admins</td> </tr> <tr> <td>User Rights Assignment</td> <td>SharpGPOAbuse</td> <td>Write on GPO</td> <td>Grant SeDebugPrivilege / SeImpersonatePrivilege</td> </tr> <tr> <td>Manual XML task</td> <td>PowerShell / SYSVOL write</td> <td>Write on GPO or SYSVOL</td> <td>Arbitrary command as SYSTEM</td> </tr> <tr> <td>New GPO + Link</td> <td>PowerView / RSAT</td> <td>CreateGPO right + link permission</td> <td>Full control over target OU</td> </tr> <tr> <td>GPO Delegation read</td> <td>PowerView / BloodHound</td> <td>Any domain user</td> <td>Map attack surface</td> </tr> </tbody> </table> <hr> <h2 id="gpo-fundamentals">GPO Fundamentals</h2> <p>Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on <code>gpupdate /force</code>.</p>