Hunting for Active Directory Persistence

SANS DFIR Summit 2022 Speaker: Thomas Diot For a few years now, Active Directory has been the preferred target of ransomware operators, and some APTs, to elevate privileges, maintain persistence, and execute malware at scale. Attackers had for instance obtained privileged Active Directory access in 95%+ of the IR on large perimeters handled by the CERT-W in 2021. As DFIR analysts, we are often asked to help reduce the risk of re-infection during Active Directory forest recovery. Uncovering and addressing Active Directory persistence is not an easy task, as numerous techniques can be leveraged by attackers to maintain persistence once a forest is compromised. In this talk, we will give a brief overview of a forest recovery procedure, and focus on unveiling different means of persistence, some well-known, other less so. Following the presentation, a (markdown) checklist and an associated PowerShell toolkit, that complement existing tooling, will be publicly released. The following Active Directory persistence techniques will be presented: ∙ Special privileges groups (Operators, Dns Admins, etc.) ∙ ACL based persistence on AdminSDHolder and other objects not protected by the SDProp mechanism ∙ DCSYnc and DCShadow minimal access rights persistence ∙ SID history persistence ∙ primaryGroupId persistence ∙ Golden and silver tickets persistence ∙ Kerberos (unconstrained, constrained, and resource-based constrained) delegations persistence ∙ Group Policy persistence (on GPO object and GPO files) ∙ ADCS and PKI related persistence (certificates, shadow credentials, User-Principal-Name / Alt-Security-Identities) View upcoming Summits: http://www.sans.org/u/DuS Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE