Sunday, January 11, 2015

Getting Persistence With No Malware

One of the most challenging task for attackers is to get persistence into the hacked machine. Malware was the perfect way to get this task done: basically a simple Malware, implementing a persistence technique such as:
  • Getting into the "startup folder"
  • Installing a rootkit on user/system executable
  • DLL search hijacking
  • "Run" Registry keys
  • "UserInit" Registry key
  • WinLogon Events
  • Scheduled Tasks
  • Programs with aspected naming convention
  •  ...
was able to guarantee persistence on the victim's machine. But all these persistence techniques leave visible traces on the victims system. Day by day tools ( MicAutoruns, RegRipper, DLLSearchOrder, etc..) and analysts learned how to detect persistence giving to the attacker only few hours of activity.

During the past months attackers discovered a new way to getting persistence without Malware. The "Golden Ticket Attack" which is basically a Forged Kerberos Key Distribution Center which can be used to generate any valid Kerberos Ticket for every known users !
In a nutshell, if you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. A golden ticket attack is one in which you create a Kerberos-generating ticket that is good for 10 years or however long you choose.
One of the best (for what I know) attack implementation is provided by mimikats.

mimikats: usage example


The described tool implementing this specific pass-the-hash (pass-the-ticket) attack is public available and could be used from attackers to gain persistence on a target domain. Obtaining the needed requirements to implement this attack is not a trivial task, but it is really possible. A great article released by Microsoft on pass-the-hash mitigations is freely downloadable here. If you are a Security Manager, please invest some of your time to read it.

No comments: