Persistence
Last updated
Last updated
Insomnihack 2024
Or in French - LeHack 2023:
krbtgt hash could be used to impersonate any user
It is recommended to change the password of krbtgt account twice as password history is maintained for the account
Using AES keys makes the attack more silent
From any machine connected with DC
The following security control should be implemented to mitigate a Golden Ticket:
Change the KRBTGT password every 12 months, or when the domain has been compromised or suspected to have been compromised. Changing the KRBTGT password will invalidate any existing Golden Tickets that are being used.
Whereas golden tickets are forged TGTs, silver tickets are forged service tickets (TGS) - Encrypted and signed by the hash of the service account (golden ticket is signed by the hash of krbtgt)
Using AES key is more silent
Can be use for other services: HOST, RPCSS, HTTP, etc.
Ex: HTTP With Rubeus
HOST SPN allow us to schedule a task on the target
Schedule and execute a task
The following security controls should be implemented to mitigate a Silver Ticket:
Change all computer object (including Domain Controller) passwords every 30 days. Malicious actors can establish persistence in Active Directory using a computer object’s password; ensuring all computer object passwords (including Domain Controller passwords) are changed every 30 days can mitigate this persistence technique.
Ensure computer objects are not members of privileged security groups, such as the Domain Admins security group. If malicious actors obtain a computer object’s password hash, then they gain any privileges the computer object has in the domain.
Ensure the Domain Computers security group does not have write or modify permissions to any objects in Active Directory. All computer objects are members of the Domain Computers security group. If this security group has rights over other objects, then malicious actors can use these rights to compromise other objects and potentially escalate their privileges and perform lateral movement.
Decrypt a valid TGT, make changes to it and re-encrypt it using krbtgt account
/tgtdeleg option in place of credentials in case we have access to a domain user
Patch a DC (lsass process) so that it allows access as any user with a single password
Skeleton Key is not opsec safe ad is known to caus issues with AD CS
Inject a skeleton key (password is mimikatz) on a DC.
Now, we can access any machine with a valid username and password as "mimikatz"
In case lsass is running as a protected process, we need mimidriv.sys on disk of the target DC
Very noisy in logs - Service installation (Kernel mode driver)
Modify the default key
For example, to use "S3c3rtP@ss", compute its RC4 and split it into 8 bytes stubs:
Reverse the values by 2 bytes
Prepend 0x to each and modify kiwikey array value in the code linked above
The following security controls should be implemented to mitigate Skeleton Key:
Limit access to Domain Controllers to only privileged users that require access. This reduces the number of opportunities for malicious actors to gain access to Domain Controllers.
Run the LSASS process in protected mode. This makes it more difficult to override the LSASS process, which is required for Skeleton Key to succeed.
Only use Domain Controllers for AD DS and do not install any non-security-related services or applications. This reduces the attack surface of Domain Controllers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Domain Controller.
Centrally log and analyse Domain Controller logs in a timely manner to identify malicious activity. Domain Controller logs provide a rich source of information that is important for investigating potentially malicious activity on Domain Controllers and in the domain.
Disable the Print Spooler service on Domain Controllers. For example, malicious actors have targeted the Print Spooler service on Domain Controllers as a technique to authenticate to a system they control to collect the Domain Controllers computer object password hash or TGT. Malicious actors can then use this to authenticate to the Domain Controller they coerced and gain administrative access.
There is a local admin "Administrator" on every DC whose password is DSRM. DSRM password is required when a server is promoted to DC and it is rarely changed
Dump DSRM password - DA privileges needed
Compare the Administrator hash with the Administrator hash of below command
Logon Behavior for the DSM account needs to be changed before passing the hash
or
Pass the hash
To use PSRemoting, we must force NTLM authentication:
Security Support Provider is a DLL which provides ways for an application to obtain an authenticated session. Ex: NTLM, Kerberos, Wdigest, CredSSP
Mimikatz mimilib.dll is a custom SSP that logs local logons, service account and machine account passwords in clear text on the target server
All local logons on the DC are logged to C:\Windows\system32\mimilsa.log or C:\Windows\system32\kiwissp.log
Drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
Inject into lsass
Not stable with Server 2019 and Server 2022
Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL
Account Operators
Can modify DA/EA/BA groups. Can modify nested groups within these groups
Backup Operators
Backup GPO, edit to add SID of controlled account to a privileged group and Restore
Server Operators
Run a command as system (using the disabled Browser service)
Print Operators
Copy ntd.dit backup, load device drivers
With DA privs, AdminSDHolder can be used as a backdoor/persistence mechanisme by adding a user with Full Permissions to the AdminSDHolder object
For pre-Server 2008:
FullControl
PowerView
AD Module
PowerView
AD Module
With DA privs, the ACL for the domain root can be modified to provide rights like FullControl or the ability to run DCSync
Add FullControl rights:
https://github.com/samratashok/RACE
Add rights for DCSync:
https://github.com/samratashok/RACE
Modify Security Descriptors of multiple remote access methods to allow access to non-admin users. Admin privs are required
On local machine for user1
On remote machine for user1 without explicit credentials
On remote machine with explicit credentials
On remote machine remove permissions
Not stable after August 2020 patches
On local machine for user1
On remote machine for user1 without explicit credentials
On remote machine, remove permissions
With DAMP
As user1, retrieve machine account hash
Retrieve local account hash
Retrieve domain cached credentials
SeEnableDelegationPrivilege on the DC and full rights on the target user - default for Domain Admins and Enterprise Admins
To effectively change the KRBTGT user object’s password hash, and invalidate any Golden Tickets, the KRBTGT password must be reset twice. This is because both the new and old KRBTGT passwords are stored by Domain Controllers such that authentication in the domain is not disrupted during a KRBTGT password change. When resetting the KRBTGT password, it is important to ensure that sufficient time is allowed between password resets to ensure the new password has had time to replicate to all Domain Controllers. For more information, see Microsoft’s and to assist with resetting the KRBTGT password.
List of SPN:
Create User objects with SPNs as . gMSAs have automatic password rotation, a 120-character password and simplified SPN management. These security features protect the password from being cracked, reducing the likelihood of a successful Silver Ticket. However, if creating user objects with SPNs as gMSAs is not feasible, set a minimum 30-character password that is unique, unpredictable and managed is set.
Restrict privileged access pathways to Domain Controllers to jump servers and secure admin workstations using only the ports and services that are required for administration. Domain Controllers are classified as ‘Tier 0’ assets within Microsoft’s ‘’.
Implement Microsoft’s . Restricting known malicious or vulnerable drivers on Domain Controllers makes it more difficult for malicious actors to bypass LSASS protection.
Restrict driver execution to an approved set. Restricting the drivers that can be loaded on Domain Controllers to an approved set hardens it against attempts to bypass LSASS protection. This can be achieved through application control solutions, including Microsoft’s .
With RACE toolkit:
Get machine account hash for
