What is the final impact of this kill-chain?

The final step lands on Dump NTDS.dit (krbtgt + all hashes) (T1003.003), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 7 steps · 6 edges

Approved

Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder

Once Domain Admin is achieved, plant layered persistence so a krbtgt rotation, password resets, and ACL clean-up do not all evict the attacker.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Domain Admin obtained

T1078 · Valid Accounts

Credential Access

Forge Golden Ticket

T1558.001 · Golden Ticket

mimikatz kerberos::golden /user:Administrator /domain:<dom> /sid:<sid> /krbtgt:<hash> /ptt

Defense Evasion

Skeleton Key (volatile)

AD-SKEL · Skeleton Key

In-memory LSASS patch — survives until DC reboot.

Persistence

DCShadow injection

AD-DCSHADOW · DCShadow

Inject arbitrary changes via legitimate replication, bypassing classic auditing.

Persistence

AdminSDHolder ACL backdoor

AD-ADMINSDHOLDER · AdminSDHolder Abuse

Add a stealth ACE; SDPROP re-propagates it every 60 minutes.

Persistence

DACL backdoors on high-value objects

AD-ACL-PERSIST · DACL Backdoor on Domain Object

Credential Access

Dump NTDS.dit (krbtgt + all hashes)

T1003.003 · NTDS

§ Context

Assumed environment: attacker has DA-equivalent rights and can write to the Configuration partition (DCShadow) and Schema partition (rare but possible).

§ Steps

01
Domain Admin obtainedInitial Access
T1078— Valid Accounts
02
Forge Golden TicketCredential Access
T1558.001— Golden Ticket
mimikatz kerberos::golden /user:Administrator /domain:<dom> /sid:<sid> /krbtgt:<hash> /ptt
03
Skeleton Key (volatile)Defense Evasion
AD-SKEL— Skeleton Key
In-memory LSASS patch — survives until DC reboot.
04
DCShadow injectionPersistence
AD-DCSHADOW— DCShadow
Inject arbitrary changes via legitimate replication, bypassing classic auditing.
05
AdminSDHolder ACL backdoorPersistence
AD-ADMINSDHOLDER— AdminSDHolder Abuse
Add a stealth ACE; SDPROP re-propagates it every 60 minutes.
06
DACL backdoors on high-value objectsPersistence
AD-ACL-PERSIST— DACL Backdoor on Domain Object
07
Dump NTDS.dit (krbtgt + all hashes)Credential Access
T1003.003— NTDS

§ References

T1078Valid Accounts
T1558.001Golden Ticket
T1003.003NTDS

§ Frequently asked

What is the "Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder" attack path?: Once Domain Admin is achieved, plant layered persistence so a krbtgt rotation, password resets, and ACL clean-up do not all evict the attacker. It chains 7 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Domain Admin obtained (T1078) — a initial access primitive. Assumed environment: attacker has DA-equivalent rights and can write to the Configuration partition (DCShadow) and Schema partition (rare but possible).
What is the final impact of this kill-chain?: The final step lands on Dump NTDS.dit (krbtgt + all hashes) (T1003.003), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Cross-trust attack: child → parent forest via SID History

DnsAdmins membership → SYSTEM on the DC

RODC compromise → cracked NT hashes of revealed accounts