This video discusses "malware-less" persistence techniques with AD Discretionary Access Control Lists (DACL) Backdoors. Maliciously crafted Access Control Entries (ACEs) can allow for later domain or object compromise. This technique also abuses native Active Directory functionality to achieve its objective. This requires no exploit however, an attacker would need the correct privileges.

Active Directory object discretionary access control lists are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

Andy Robbins and Will Schroeder