Persistence (Part 1)
Overview
Deploying persistence by a penetration tester is important during penetration testing assessment. Hence, implementing persistence throughout the AD compromise process, the tester can ensure that his access cannot easily be revoked by the blue team.
Credentials
It is one of the most common but least reliable persistence techniques. DC sync is a process in which AD DC exchange updates and replicate data with each other. Each DC runs a Knowledge Consistency Checker (KCC) that generates a replication topology for the AD forest. Also, it automatically connects to other domain controllers via Remote Procedure Calls (RPC) to synchronize information. It contains updated information like the user's new password and new objects such as when a new user is created. DC sync attack is very popular. If the penetration tester has access to an account that has domain replication permissions, he can stage a DC Sync attack to harvest credentials from a DC.
Tickets
Golden Ticket
AD environments are the target of golden ticket attacks, a subset of advanced persistent threat (APT) attacks. By generating a fake Kerberos ticket, a penetration tester can utilize them to enter a domain without authorization and stay active on the network. A ticket for Kerberos is a digital token that a DC issues to a user or service account so they can use it to log in and access domain resources. Golden tickets are used to authenticate users in an AD environment by taking advantage of the way Kerberos tickets are issued.
After obtaining the golden ticket, the penetration tester can use it to authenticate as any user inside the domain and gain access to all resources, including private information and vital systems, that the account is permitted to access. This can allow the attacker to remain undetected while moving laterally around the network, exfiltrating data or delivering malicious payloads. Since golden tickets look just like real Kerberos tickets, they can be challenging to identify.
Silver Ticket
Similar to golden tickets, silver tickets are a kind of APT assault. A penetration tester can generate a fake Kerberos service ticket called a "silver ticket" by utilizing the encryption key, service account name, and Service Principal Name (SPN) from a compromised service account. Using this knowledge, the penetration tester can fabricate a new service ticket with fictitious data that appears just like a genuine service ticket.
After obtaining the silver ticket, the penetration tester can use it to access any resources that the service account is permitted to access and authenticate to a particular service, such as a file server, web server, or terminal server. This will allow him to navigate the network laterally while staying undetected. Silver tickets are also hard to identify.
Certificates
The penetration tester requires a valid certificate for client authentication. It will allow him to use the certificate to request a TGT. This way he can continue to order TGTs irrespective of the number of rotations they do on the account being attacked. He can only be kicked out if he himself revoke the certificate he generated or it expires. This means, he will have persistent access for roughly next 5 years, by default.
Stealing the private key of the root CA's certificate is another way to generate certificates on demand. Since these certificates are not issued by the CA, the blue team cannot revoke them. This will mean the rotation of CA, i.e., all the issued certificates should be revoked to kick the penetration tester out.
These techniques are incredibly invasive and hard to remove. Even the penetration tester has to signoff on his red team exercise to perform these techniques. Mostly, the red team exercise will be dechained instead of using them. Hence, most likely these persistence techniques are not to be performed but rather simulated.
Conclusion
This part talks about the various persistence techniques and usages.
Comments
Post a Comment