ioc[.]one - OSINT Cyber Threat Intelligence Database

How to achieve eternal persistence in an Active Directory environment - Part 1

Tags

attack-pattern:

Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Ntds - T1003.003 Powershell - T1059.001 Security Account Manager - T1003.002 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	f7ad4d3f-af58-47ce-a964-ce90683dac93
Fingerprint	a49944916ca037d5
Analysis status	DONE
Considered CTI value	-2
Text language
Published	May 23, 2024, 10:07 a.m.
Added to db	Aug. 31, 2024, 10:48 a.m.
Last updated	Nov. 18, 2024, 3:30 p.m.
Headline	How to achieve eternal persistence in an Active Directory environment - Part 1
Title	How to achieve eternal persistence in an Active Directory environment - Part 1
Detected Hints/Tags/Attributes	49/1/13

Source URLs

	Redirection	Url
Details	Source	https://www.huntandhackett.com/blog/how-to-achieve-eternal-persistence

URL Provider

Details	Provider	Source level domain
Details	huntandhackett.com	www.huntandhackett.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	412	✔	Hunt & Hackett Blog	https://www.huntandhackett.com/blog/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	4134		github.com
Details	Domain	3		crypto.py
Details	File	1		useldp.exe
Details	File	3		crypto.py
Details	Github username	3		huntandhackett
Details	Github username	9		fortra
Details	Url	2		https://github.com/huntandhackett/passiveaggression
Details	Url	1		https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/99ee9f39-43e8-4bba-ac3a-82e0c0e0699e
Details	Url	1		https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6
Details	Url	1		https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/b2f614b9-0312-421a-abed-10ee002ef780
Details	Url	1		https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/112ecc94-1cbe-41cd-b669-377402c20786
Details	Url	1		https://github.com/fortra/impacket/blob/master/impacket/crypto.py#l211
Details	Url	2		https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-the-krbtgt-password