However, at Rendition Infosec we have recently observed an attacker using Kerberos Silver tickets for long term access. The silver ticket relies on compromising credentials to a particular service account (or more correctly the hash for that service account). For the case we observed, the attackers using the computer account password hash to create tickets with admin rights on the local machine. This means that even when local admin passwords are changed, the attacker can still access the machine as admin by using the machine password hash.
Doesn't the machine password change?
By default, the machine password should change every 30 days. However, machine password changes are recommendations and not enforced at the domain. In other words, even if the domain policy says to change the password every 30 days, a machine can go for years without its password changing and there's no change to the operation on the machine. Also, it's up to the machine to change its own password.
Gimme an IOC
On the machines where we observed this behavior, we saw the attackers updating a registry value to ensure that the machine password would never be updated. At this time, we believe this to be a reliable indicator of compromise and have not observed it on machines that were not under active attack. If you have seen this set elsewhere, please comment on the post or touch base out of band (jake at Rendition Infosec).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ParametersHopefully you find this useful in hunting your favorite neighborhood APT.
DisablePasswordChange = 1
