Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts

Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts

연구 분야: Strategies

학회: CheckMATE '24: Proceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks

Persistence attacks allow adversaries to maintain access to compromised systems. Despite their wide use by most threat campaigns, they remain understudied in the academic literature. In this paper, we study the concepts and requirements for local invisible accounts and then show new OS-level attacks by implementing these ideas on Windows. In particular, we propose three general design objectives for successful persistence attack vectors. Then, we show how to implement these objectives by bypassing functionality provided by Windows to manage identities. To do this, we first reverse-engineer parts of Windows's authentication and authorization process and propose two attacks: RID Hijacking and Suborner. We show that these attacks affect all versions of Windows since XP and Server 2003, and in combination, they can create stealthy, robust, and privileged accounts.