Persistence is one of the most critical tactics in the MITRE ATT&CK framework. Once an attacker gains access, they want to make sure they can come back—quietly, reliably, and with power. MITRE defines TA0003 Persistence as “any access, mechanism, or configuration that allows an adversary to maintain their foothold in a system or network.” And that is a great initial definition but I think ATT&CK misses an important distinction between the 2 major subtypes of persistence:
- Execution persistence. This refers to a different tactic - TA0002 Execution – but in a persistent way. Just because the attacker gained ephemeral Execution through an email attachment once doesn’t mean their script or other malware will keep running. Common examples of execution persistence include scheduled tasks, service installs, or registry hijacks that cause a command to be re-executed with some kind of regularity.
- Privileged access persistence. An attacker may directly gain privileged access through Initial Access against a privileged user, through lateral movement to a privileged account or by Privilege Escalation. But again, the attacker is worried that this privilege may be ephemeral – they could lose it for all kinds of reasons; especially if they perform actions that appear suspicious for the account compromised. Privileged access persistence means the attacker can come back with keys to the kingdom such as with a new account that flies under the radar.
An attacker often needs both types but in this webinar, we’ll focus on persistent privileged access and make it specific to Active Directory. We’ll explore three powerful techniques attackers use to entrench themselves in AD:
- AdminSDHolder Abuse
- Exploits AD’s protected group ACL inheritance via the SDProp process.
- Grants backdoor access that re-applies every 60 minutes—even if defenders reset permissions.
- SIDHistory Injection
- Leverages legacy identity bridging to sneak privileged SIDs into low-priv accounts.
- Grants stealthy access to resources without changing group memberships.
- DCShadow
- Uses replication APIs to push unauthorized changes directly into AD.
- Bypasses logs and change tracking by spoofing a domain controller.
These techniques all require privileged access to begin with—but that doesn’t make them irrelevant.
- You might miss the attacker’s initial compromise.
- But you don’t want to miss their attempt to gain persistence.
- Catching persistence is often your second chance to detect and disrupt the breach.
We’ll break down each method with:
- Technical deep dives
- Real-world examples
- Detection strategies
- Defensive architecture tips
These attacks can be difficult to detect – especially on a timely basis, which is where our sponsor, Cayosoft, comes in. Craig Birch is a Principal Security Engineer at Cayosoft and will be showing you how you can mitigate these threats in real time.
To detect threats like this, unless you have budget for a monitoring solution it used to be up to you to collect all the security logs from your domain controllers, filter, alert and report on them. So I’m excited that Cayosoft has just released a new free forever version of their Guardian technology – Guardian Protector. Protector does all that work described above for you and provides real-time monitoring and notification of AD changes as well as regularly updated AD threat monitoring. It only requires minimal read-only permissions and tells you the Who, What, When and Where of AD changes as well as Entra ID and core MS365 app changes too.
Please join us for this real training for free session.