Wednesday, November 18, 2015

Kerberos silver tickets - unique attacker persistence

Last year there was a lot of talk about Golden Tickets in Kerberos allowing attackers to regain domain administrator if the KRBTGT account password in the domain wasn't changed.  There was less fanfare about silver tickets since they don't offer unrestricted domain access, only unrestricted access to particular service accounts on a specific machine.

However, at Rendition Infosec we have recently observed an attacker using Kerberos Silver tickets for long term access.  The silver ticket relies on compromising credentials to a particular service account (or more correctly the hash for that service account).  For the case we observed, the attackers using the computer account password hash to create tickets with admin rights on the local machine.  This means that even when local admin passwords are changed, the attacker can still access the machine as admin by using the machine password hash.

Doesn't the machine password change?
By default, the machine password should change every 30 days.  However, machine password changes are recommendations and not enforced at the domain.  In other words, even if the domain policy says to change the password every 30 days, a machine can go for years without its password changing and there's no change to the operation on the machine.  Also, it's up to the machine to change its own password.

Gimme an IOC
On the machines where we observed this behavior, we saw the attackers updating a registry value to ensure that the machine password would never be updated.  At this time, we believe this to be a reliable indicator of compromise and have not observed it on machines that were not under active attack.  If you have seen this set elsewhere, please comment on the post or touch base out of band (jake at Rendition Infosec).
DisablePasswordChange = 1
Hopefully you find this useful in hunting your favorite neighborhood APT.

1 comment:

  1. I've set that registry key before on development machines, specifically domain-joined VM's that I plan to revert at times.

    Otherwise, if I revert after the machine password is changed, I'd have to reset the machine password to be able to use that VM on the domain.

    But yes, other than that rare circumstance I've never seen or heard of people setting that reg value.


Note: Only a member of this blog may post a comment.