ATT&CK for Enterprise – TA0003 Persistence
Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK®
“Persistence” in cybersecurity refers to tactic employed by attackers to maintain unauthorized access to a compromised system, even in the face of potential disruptions like system restarts or credential changes. These techniques include altering or replacing legitimate code, adding malicious programs to startup processes, creating or compromising user accounts, setting up scheduled tasks, and exploiting system vulnerabilities, often with the use of rootkits. These methods are stealthy and designed to blend with normal system operations, posing a significant challenge to defenders. This blog will explore and categorize specific alerts from Persistence and privilege escalation alerts documentation.
| External ID | Name | Sev. | Description |
| 2009 | Suspected Golden Ticket usage (encryption downgrade) | Medium | Encryption Downgrade Concept: The attack involves downgrading the encryption level in various fields of the Kerberos protocol, which are typically protected by high-level encryption. This reduction in encryption strength makes these fields more susceptible to offline brute force attacks. Use of Weak Encryption Ciphers: Attackers exploit vulnerabilities by using weak Kerberos encryption ciphers. These weaker ciphers are easier to crack compared to the standard, more secure encryption methods. Detection by Defender for Identity: Microsoft’s Defender for Identity monitors the Kerberos encryption types used by computers and users. It raises an alert when a weaker, unusual cipher is used for a particular computer or user, matching patterns known to be used in attacks. Golden Ticket Alert Specifics: In the context of a Golden Ticket attack, the alert is triggered when there’s a noticeable downgrade in the encryption method of the TGT (Ticket Granting Ticket) field within the TGS_REQ (Ticket Granting Service Request) message. This change is compared to previously observed behaviors of the source computer. Unlike other Golden Ticket detections, this alert is not based on time anomalies but on the encryption downgrade itself. The alert is particularly significant because there was no associated Kerberos authentication request with the previous service request, as detected by Defender for Identity. Learning Period: The system has a learning period of 5 days from the start of monitoring the domain controller. During this time, it establishes a baseline of normal encryption behavior for users and computers in the network. |
| 2027 | Suspected Golden Ticket usage (nonexistent account) | High | Compromise of KRBTGT Account: Attackers first gain domain admin rights, allowing them to compromise the KRBTGT account. The KRBTGT account is a built-in account in Active Directory, responsible for encrypting and signing all Ticket Granting Tickets (TGTs) within the domain. Creation of a Golden Ticket: Once the KRBTGT account is compromised, attackers can create a TGT that appears legitimate but is actually fraudulent. This TGT, known as a “Golden Ticket,” can be configured with authorization to access any resource within the network. Attackers can set the expiration of this fake TGT to an arbitrary time, often far into the future, to maintain long-term access. Network Persistence: The use of a Golden Ticket allows attackers to maintain persistent access to network resources. They can authenticate as any user, access services, and extract sensitive information, all without being easily detected. Detection via Nonexistent Account: In this specific detection scenario, an alert is triggered by the use of a nonexistent account. This means the attacker is using a Golden Ticket associated with an account that does not actually exist in the Active Directory. This anomaly helps in identifying the malicious activity. |
| 2032 | Suspected Golden Ticket usage (ticket anomaly) | High | Detection of Anomalies: This specific detection focuses on identifying unique characteristics of forged Golden Tickets. These anomalies in the tickets themselves are what set off the alerts, as they differ from legitimate Kerberos tickets in terms of their structure, behavior, or other attributes. |
| 2040 | Suspected Golden Ticket usage (ticket anomaly using RBCD) | High | Use of Resource-Based Constrained Delegation (RBCD) ①: In this specific attack, the Golden Ticket is created by abusing Resource-Based Constrained Delegation (RBCD) permissions. RBCD is a legitimate feature in Active Directory that allows a service (or computer account) to delegate its access rights to another account. Attackers set RBCD permissions using the KRBTGT account for an account (user or computer) with a Service Principal Name (SPN), which then facilitates the creation of a Golden Ticket. Achieving Network Persistence: The Golden Ticket, especially when combined with RBCD manipulation, enables attackers to maintain persistent access to network resources, effectively bypassing standard authentication and authorization controls. |
| 2022 | Suspected Golden Ticket usage (time anomaly) | High | Triggering the Alert: The alert for suspected Golden Ticket usage is triggered when a TGT is used beyond the maximum lifetime set for user tickets in the domain’s policy. This time anomaly is a key indicator of a potential Golden Ticket attack, as legitimate TGTs would adhere to the domain’s configured ticket lifetimes. |
| 2010 | Suspected skeleton key attack (encryption downgrade) | Medium | Skeleton Key Malware: The Skeleton Key is a type of malware that infiltrates domain controllers. It allows attackers to authenticate with any account within the domain without needing to know the account’s password. This malware often resorts to using weaker encryption algorithms for hashing user passwords on the domain controller, making it easier for attackers to compromise accounts. Detection and Alert: The alert for this attack is triggered when there’s a noticeable downgrade in the encryption method of KRB_ERR (could be Etype error, by using weaker RC4) messages (error messages from the domain controller to the account requesting a ticket) compared to previously observed behavior. |
| 2024 | Suspicious additions to sensitive groups | Medium | Attack Strategy: The core of this attack involves unauthorized users being added to highly privileged groups in Active Directory. Privileged groups like Domain Admins, Enterprise Admins, or Schema Admins have extensive permissions across the network. By adding users to these groups, attackers gain elevated privileges, allowing them to access more resources and potentially control critical aspects of the IT environment. Objective of Attackers: The primary goals are to expand their access within the network and create persistent footholds. This can facilitate further malicious activities, such as data exfiltration, deploying malware, or establishing backdoors for future access. Detection Mechanism: Microsoft Defender for Identity employs a profiling system that monitors group modification activities. It builds a baseline of normal behavior for user accounts regarding how and when they modify group memberships. The detection system triggers an alert when it observes an abnormal addition to a sensitive group, which deviates from the established profile of typical group modification activities. Defining Sensitive Groups: Defender for Identity categorizes certain groups as sensitive based on their privileges and roles within the domain. The specific definition and categorization of sensitive groups can be found in the Defender for Identity documentation under “Working with sensitive accounts.” |
| 2427 | Honeytoken user attributes modified | High | Attackers’ Tactics: Attackers may attempt to manipulate these attributes to gain unauthorized access or advantages. For instance, changing the phone number associated with an account could allow an attacker to intercept multifactor authentication (MFA) attempts, granting them access to secured resources. |
| 2428 | Honeytoken group membership changed | High | Attackers’ Tactics: After gaining access to an account, attackers might try to elevate their access rights or extend their influence by adding the compromised account to certain security groups. Alternatively, they might remove permissions from other users by altering group memberships, impacting the security posture of the network. |
① Resource-Based Constrained Delegation (RBCD) in Active Directory is designed for secure inter-service communication under specific conditions. It allows a service, like a web server, to authenticate to another service, such as a database server, on behalf of a user, without explicitly passing the user’s credentials. This functionality is particularly useful in scenarios where services need to interact securely and seamlessly, offering a way to delegate authentication in a restricted and controlled manner. RBCD is especially valuable in multi-domain environments, facilitating cross-domain service interactions by setting up access permissions for services in different domains. It provides more granular control compared to traditional Kerberos delegation, limiting delegation to authorized target services only, thus enhancing security in service-to-service communications.
In the hands of an attacker, especially one with control over an account with sufficient privileges (like a domain admin), RBCD can be manipulated for unauthorized access. Attackers can modify RBCD settings of a service to impersonate any user, thereby gaining access to sensitive resources and bypassing standard authentication mechanisms. This capability allows them to elevate their privileges and perform actions as higher-level users, providing a pathway to access restricted areas of the network. Moreover, once RBCD settings are altered to favor malicious objectives, attackers can maintain persistent access to target systems, facilitating long-term, undetected malicious activities such as data exfiltration. The abuse of RBCD presents a significant security threat, as it enables attackers to covertly navigate and exploit network resources under the guise of legitimate inter-service operations.