I found that the idea of using ntds.dit
to find persistence was very original. First, we have to convert the ETL file provided to a PCAP format. Then, we extract the files contained in the SMB frames. Three files are relevant here: SYSTEM
hive, ntds.dit
, and ticket.kirbi
. By decrypting the ticket file, we can identify the first persistence technique, which is a diamond ticket. Afterward, we mount ntdis.dit
and parse it with AdTimeline
to extract Active Directory replication metadata. With the result, we discover that Logon Script, Shadow Credentials and krbtgt delegation persistence techniques have been used.