One of the most challenging task for attackers is to get persistence into the hacked machine. Malware was the perfect way to get this task done: basically a simple Malware, implementing a persistence technique such as:
  • Getting into the “startup folder”
  • Installing a rootkit on user/system executable
  • DLL search hijacking
  • “Run” Registry keys
  • “UserInit” Registry key
  • WinLogon Events
  • Scheduled Tasks
  • Programs with aspected naming convention
  • ¬†…
was able to guarantee persistence on the victim’s machine. But all these persistence techniques leave visible traces on the victims system. Day by day tools ( MicAutoruns, RegRipper, DLLSearchOrder, etc..) and analysts learned how to detect persistence giving to the attacker only few hours of activity.
During the past months attackers discovered a new way to getting persistence without Malware. The “Golden Ticket Attack” which is basically a Forged Kerberos Key Distribution Center which can be used to generate any valid Kerberos Ticket for every known users !

In a nutshell, if you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. A golden ticket attack is one in which you create a Kerberos-generating ticket that is good for 10 years or however long you choose.

One of the best (for what I know) attack implementation is provided by mimikats.

mimikats: usage example

The described tool implementing this specific pass-the-hash (pass-the-ticket) attack is public available and could be used from attackers to gain persistence on a target domain. Obtaining the needed requirements to implement this attack is not a trivial task, but it is really possible. A great article released by Microsoft on pass-the-hash mitigations is freely downloadable here. If you are a Security Manager, please invest some of your time to read it.