One of the most challenging task for attackers is to get persistence into the hacked machine. Malware was the perfect way to get this task done: basically a simple Malware, implementing a persistence technique such as:
- Getting into the “startup folder”
- Installing a rootkit on user/system executable
- DLL search hijacking
- “Run” Registry keys
- “UserInit” Registry key
- WinLogon Events
- Scheduled Tasks
- Programs with aspected naming convention
was able to guarantee persistence on the victim’s machine. But all these persistence techniques leave visible traces on the victims system. Day by day tools ( MicAutoruns, RegRipper, DLLSearchOrder, etc..) and analysts learned how to detect persistence giving to the attacker only few hours of activity.
During the past months attackers discovered a new way to getting persistence without Malware. The “Golden Ticket Attack” which is basically a Forged Kerberos Key Distribution Center which can be used to generate any valid Kerberos Ticket for every known users !
In a nutshell, if you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. A golden ticket attack is one in which you create a Kerberos-generating ticket that is good for 10 years or however long you choose.
One of the best (for what I know) attack implementation is provided by mimikats.
|mimikats: usage example|
The described tool implementing this specific pass-the-hash (pass-the-ticket) attack is public available and could be used from attackers to gain persistence on a target domain. Obtaining the needed requirements to implement this attack is not a trivial task, but it is really possible. A great article released by Microsoft on pass-the-hash mitigations is freely downloadable here. If you are a Security Manager, please invest some of your time to read it.