It's The Only Way To Be Sure: Obtaining and Detecting Domain Persistence presented at Defcon 2015

by Grant Bugher,

Summary : When a Windows domain is compromised, an attacker has several options to create backdoors, obscure his tracks, and make his access difficult to detect and remove. In this talk, I discuss ways that an attacker who has obtained domain administrator privileges can extend, persist, and maintain control, as well as how a forensic examiner or incident responder could detect these activities and root out an attacker.