Domain controller persistence
The domain controller in a Windows environment remains one of the key objectives for malicious actors during their campaigns. If an adversary has compromised the domain controller and established persistence, it is possible to regain domain-wide administrative privileges in a matter of minutes. Techniques in this section utilize credential manipulation and authentication mechanism alteration. At the end of this section, we will explain the concept of security descriptors and how attackers can modify them to maintain privileged access in an environment.
Skeleton Key
A Skeleton Key attack is a persistence method on a domain controller that sets a master password in the domain, allowing an adversary to authenticate as any domain user. However, to avoid early detection, an installed backdoor module allows users to continue to log in with their existing passwords as well. For Kerberos authentication to work, encryption downgrade to RC4_HMAC_MD5 is enforced...
