{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T20:40:14Z","timestamp":1755981614476,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":67,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,19]],"date-time":"2024-11-19T00:00:00Z","timestamp":1731974400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100006374","name":"Army Research Office","doi-asserted-by":"publisher","award":["W911NF-23-1-0373"],"award-info":[{"award-number":["W911NF-23-1-0373"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,11,19]]},"DOI":"10.1145\/3689934.3690839","type":"proceedings-article","created":{"date-parts":[[2024,11,19]],"date-time":"2024-11-19T18:20:11Z","timestamp":1732040411000},"page":"59-72","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Ghost in the SAM: Stealthy, Robust, and Privileged Persistence through Invisible Accounts"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-5364-0708","authenticated-orcid":false,"given":"Sebasti\u00e1n R.","family":"Castro","sequence":"first","affiliation":[{"name":"University of California, Santa Cruz, Santa Cruz, California, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5142-9750","authenticated-orcid":false,"given":"Alvaro A.","family":"C\u00e1rdenas","sequence":"additional","affiliation":[{"name":"University of California, Santa Cruz, Santa Cruz, California, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,11,19]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"RID Hijacking: Maintaining Access on Windows Machines. In Black Hat USA","author":"Castro Sebasti\u00e1n","year":"2018","unstructured":"Sebasti\u00e1n Castro. 2018. RID Hijacking: Maintaining Access on Windows Machines. In Black Hat USA 2018. https:\/\/www.blackhat.com\/us-18\/arsenal.html#rid-hijacking-maintaining-access-on-windows-machines"},{"key":"e_1_3_2_1_2_1","volume-title":"Suborner: A Windows Bribery for Invisible Persistence. In Black Hat USA","author":"Castro Sebasti\u00e1n","year":"2022","unstructured":"Sebasti\u00e1n Castro. 2022. Suborner: A Windows Bribery for Invisible Persistence. In Black Hat USA 2022. https:\/\/www.blackhat.com\/us-22\/arsenal\/schedule\/#suborner-a-windows-bribery-for-invisible-persistence-27976"},{"key":"e_1_3_2_1_3_1","unstructured":"chntpw. [n. d.]. chntpw. http:\/\/www.chntpw.com"},{"key":"e_1_3_2_1_4_1","unstructured":"Benjamin Delpy. [n. d.]. Kekeo. https:\/\/github.com\/gentilkiwi\/kekeo\/"},{"key":"e_1_3_2_1_5_1","unstructured":"Benjamin Delpy. 2011. Mimikatz. https:\/\/github.com\/gentilkiwi\/mimikatz"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5220\/0011710200003405"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.18178\/ijfcc.2016.5.2.455"},{"key":"e_1_3_2_1_8_1","unstructured":"ELCOMSOFT. [n. d.]. ESR SAM Editor. https:\/\/www.elcomsoft.com\/help\/en\/esr\/esr_samdbeditor.html"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00162"},{"key":"e_1_3_2_1_10_1","unstructured":"Hex-Rays. [n. d.]. IDA Pro. https:\/\/hex-rays.com\/ida-pro\/"},{"key":"e_1_3_2_1_11_1","unstructured":"IBM. [n. d.]. Root account. https:\/\/www.ibm.com\/docs\/en\/aix\/7.2?topic=passwords-root-account"},{"key":"e_1_3_2_1_12_1","unstructured":"Michael Kerrisk. [n. d.]. useradd(8) Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man8\/useradd.8.html"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Platon Kotzias Leyla Bilge Pierre-Antoine Vervier and Juan Caballero. 2019. Mind Your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises.. In NDSS.","DOI":"10.14722\/ndss.2019.23522"},{"key":"e_1_3_2_1_14_1","unstructured":"Microsoft Learn. 2021. Antimalware Scan Interface (AMSI). https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/amsi\/antimalware-scan-interface-portal"},{"key":"e_1_3_2_1_15_1","unstructured":"Microsoft. [n. d.]. https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-authentication-overview."},{"key":"e_1_3_2_1_16_1","unstructured":"Microsoft. 2021. Access Control Lists. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/access-control-lists"},{"key":"e_1_3_2_1_17_1","unstructured":"Microsoft. 2021. Appendix L: Events to Monitor. https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/appendix-l--events-to-monitor"},{"key":"e_1_3_2_1_18_1","unstructured":"Microsoft. 2021. Audit SAM. https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/audit-sam"},{"key":"e_1_3_2_1_19_1","unstructured":"Microsoft. 2021 d. Credential Providers. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthn\/credential-providers-in-windows"},{"key":"e_1_3_2_1_20_1","unstructured":"Microsoft. 2021 e. Debugging Tools for Windows (WinDbg KD CDB NTSD). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/debugger\/"},{"key":"e_1_3_2_1_21_1","unstructured":"Microsoft. 2021 f. Event Logging. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/eventlog\/event-logging"},{"key":"e_1_3_2_1_22_1","unstructured":"Microsoft. 2021 g. Event Logging. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/access-tokens"},{"key":"e_1_3_2_1_23_1","unstructured":"Microsoft. 2021 h. HiveNightmare (CVE-2021--36934) Windows Elevation of Privilege Vulnerability). https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-36934"},{"key":"e_1_3_2_1_24_1","unstructured":"Microsoft. 2021 i. KB5004605: Update adds AES encryption protections to the MS-SAMR protocol for CVE-2021--33757. https:\/\/tinyurl.com\/3j6r4wvn"},{"key":"e_1_3_2_1_25_1","unstructured":"Microsoft. 2021 j. LSA Authentication. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthn\/lsa-authentication"},{"key":"e_1_3_2_1_26_1","unstructured":"Microsoft. 2021 k. Monitoring Active Directory for Signs of Compromise. https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/monitoring-active-directory-for-signs-of-compromise"},{"key":"e_1_3_2_1_27_1","unstructured":"Microsoft. 2021 l. MS-SAMR Security Account Manager. https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-samr\/"},{"key":"e_1_3_2_1_28_1","unstructured":"Microsoft. 2021 m. MS-SAMR: Security Account Manager (SAM) Remote Protocol (Client-to-Server). https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-samr\/"},{"key":"e_1_3_2_1_29_1","unstructured":"Microsoft. 2021 n. MSV1_0 Authentication Package. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthn\/msv1-0-authentication-package"},{"key":"e_1_3_2_1_30_1","unstructured":"Microsoft. 2021 o. NetUserAdd function (lmaccess.h). https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/lmaccess\/nf-lmaccess-netuseradd"},{"volume-title":"2021","key":"e_1_3_2_1_31_1","unstructured":"Microsoft. 2021 p. Powershell documentation. https:\/\/learn.microsoft.com\/en-us\/powershell\/"},{"key":"e_1_3_2_1_32_1","unstructured":"Microsoft. 2021 q. Securable Objects. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/securable-objects"},{"key":"e_1_3_2_1_33_1","unstructured":"Microsoft. 2021 r. Security Descriptors. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/security-descriptors"},{"key":"e_1_3_2_1_34_1","unstructured":"Microsoft. 2021 s. Security Identifier. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/security-identifiers"},{"key":"e_1_3_2_1_35_1","unstructured":"Microsoft. 2021 t. SID Components. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/secauthz\/sid-components"},{"key":"e_1_3_2_1_36_1","unstructured":"Microsoft. 2021 u. userenv.h header. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/userenv\/"},{"key":"e_1_3_2_1_37_1","unstructured":"Microsoft. 2021 v. USER_INFO_1 structure (lmaccess.h). https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/lmaccess\/ns-lmaccess-user_info_1"},{"key":"e_1_3_2_1_38_1","unstructured":"Microsoft. 2021 w. Well-Known SID Structures. https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-dtyp\/"},{"key":"e_1_3_2_1_39_1","unstructured":"Microsoft. 2021 x. Windows Authentication. Overview. https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/windows-authentication\/windows-authentication-overview"},{"volume-title":"2021 y","key":"e_1_3_2_1_40_1","unstructured":"Microsoft. 2021 y. Windows Kernel Mode Executive Support Library. https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/windows-kernel-mode-executive-support-library"},{"key":"e_1_3_2_1_41_1","unstructured":"Microsoft. 2021 z. Windows registry information for advanced users. https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-server\/performance\/windows-registry-advanced-users"},{"key":"e_1_3_2_1_42_1","unstructured":"Microsoft. 2023. Credentials Processes in Windows Authentication. https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/windows-authentication\/credentials-processes-in-windows-authentication"},{"key":"e_1_3_2_1_43_1","unstructured":"Microsoft. 2024. Microsoft Pluton security processor. https:\/\/learn.microsoft.com\/en-us\/windows\/security\/information-protection\/pluton\/microsoft-pluton-security-processor"},{"key":"e_1_3_2_1_44_1","unstructured":"Microsoft Forum. [n. d.]. Create Hidden User. https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/all\/creating-a-hidden-user\/0b4c00af-4354--4479-b0bb-b160ef84022d"},{"key":"e_1_3_2_1_45_1","unstructured":"Mitre. [n. d.]. MITRE ATT&CK Framework. https:\/\/attack.mitre.org\/"},{"key":"e_1_3_2_1_46_1","unstructured":"MITRE. 2024. Persistence Tactic TA0003. https:\/\/attack.mitre.org\/tactics\/TA0003\/"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4842-6193-4_8"},{"key":"e_1_3_2_1_48_1","volume-title":"Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth. Dark Reading","author":"Montalbano Elizabeth","year":"2024","unstructured":"Elizabeth Montalbano. 2024. Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth. Dark Reading (2024). https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/novel-edr-killing-ghostengine-malware-stealth Accessed: 2024-06-20."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3329786"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.23919\/ICAC50006.2021.9594197"},{"key":"e_1_3_2_1_51_1","unstructured":"Rapid7. [n. d.]. Metasploit. https:\/\/www.metasploit.com\/"},{"key":"e_1_3_2_1_52_1","unstructured":"Red Hat. [n. d.]. Identity Management Log Files and Directories. https:\/\/tinyurl.com\/2p8ddhmz"},{"key":"e_1_3_2_1_53_1","unstructured":"Will Schoeder. [n. d.]. Rubeus. https:\/\/github.com\/GhostPack\/Rubeus"},{"key":"e_1_3_2_1_54_1","unstructured":"SecureAuth. [n. d.]. Impacket. https:\/\/www.secureauth.com\/labs\/open-source-tools\/impacket\/"},{"key":"e_1_3_2_1_55_1","unstructured":"AArthi Sing. [n. d.]. Editing \/etc\/passwd File for Privilege Escalation. https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/windows-kernel-mode-executive-support-library"},{"key":"e_1_3_2_1_56_1","unstructured":"Slate. [n. d.]. Dont listen to Bill Gates. The open-source movement isnt communism. https:\/\/slate.com\/technology\/2005\/11\/the-open-source-movement-isn-t-communism.html"},{"key":"e_1_3_2_1_57_1","unstructured":"Ben Ten. [n. d.]. doucMe. https:\/\/github.com\/ben0xa\/doucme"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1201\/9781003369042-7"},{"key":"e_1_3_2_1_59_1","unstructured":"Unit 42. 2024. Manic Menagerie Targets Web Hosting and IT: Threat Report. https:\/\/unit42.paloaltonetworks.com\/manic-menagerie-targets-web-hosting-and-it\/ Accessed: 2024-06--20."},{"volume-title":"Dynamic Detection and Classification of Persistence Techniques in Windows Malware. Master's thesis","author":"van Nielen Jorik","key":"e_1_3_2_1_60_1","unstructured":"Jorik van Nielen. 2023. Dynamic Detection and Classification of Persistence Techniques in Windows Malware. Master's thesis. University of Twente."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102855"},{"key":"e_1_3_2_1_62_1","unstructured":"Virus Total. 2024. VirusTotal Analysis of RID Hijacking Metasploit Module. https:\/\/www.virustotal.com\/gui\/url\/4cfb24f056d7d669982f32a9912e0bf34b6749a168509042edcd015c40498db1"},{"key":"e_1_3_2_1_63_1","unstructured":"Virus Total. 2024. VirusTotal Analysis of RID Hijacking Powershell Module. https:\/\/www.virustotal.com\/gui\/url\/a4a5478d0aaa412a570db90789358ec1a4fabb449ed7e7fbe69db275b7fe5c1e"},{"key":"e_1_3_2_1_64_1","unstructured":"Virus Total. 2024. VirusTotal Analysis of Suborner C# Module. https:\/\/www.virustotal.com\/gui\/url\/950fc6295d583a60a7309e422926eff796d0874571f6ee0baade777c3d060246"},{"key":"e_1_3_2_1_65_1","volume-title":"Evaluating tool based automated malware analysis through persistence mechanism detection. Master's thesis","author":"Webb Matthew","year":"2097","unstructured":"Matthew Webb. 2018. Evaluating tool based automated malware analysis through persistence mechanism detection. Master's thesis. MKansas State University. https:\/\/krex.k-state.edu\/handle\/2097\/38783"},{"key":"e_1_3_2_1_66_1","volume-title":"Processes, Threads, Memory Management, and More","author":"Yosifovich Pavel","unstructured":"Pavel Yosifovich, Mark E. Russinovich, David A. Solomon, and Alex Ionescu. 2017. Windows Internals, Part 1: System Architecture, Processes, Threads, Memory Management, and More (7th Edition) 7th ed.). Microsoft Press, USA.","edition":"7"},{"key":"e_1_3_2_1_67_1","unstructured":"YouTube. [n. d.]. Create Invisible Account in Windows XP. https:\/\/www.youtube.com\/watchv=_FB-dKtaOs8"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Salt Lake City UT USA","acronym":"CCS '24"},"container-title":["Proceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689934.3690839","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3689934.3690839","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T20:25:33Z","timestamp":1755980733000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689934.3690839"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,19]]},"references-count":67,"alternative-id":["10.1145\/3689934.3690839","10.1145\/3689934"],"URL":"https:\/\/doi.org\/10.1145\/3689934.3690839","relation":{},"subject":[],"published":{"date-parts":[[2024,11,19]]},"assertion":[{"value":"2024-11-19","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}