skeleton key malware detection owasp
TRANSCRIPT
Itai Grady & Tal Be’eryResearch Team, Aorato, Microsoft{igrady,talbe} at Microsoft.com
One Key to Rule Them All: Detecting the Skeleton Key Malware
OWASP IL, June 2015
• Intro• Web Apps and Authentication• Authentication in Windows
Environment:• Active Directory (AD) & Domain Controller
(DC), Kerberos Authentication
• The Skeleton Key malware• Deployment, Patching DC, RC4
downgrade
• Detection• Advanced Threat Analytics (ATA) intro• ATA detections:• Remote Code Execution on DC• Skeleton Key Malware detection
• Script based Skeleton Key Malware detection
Agenda
Intro
• So you had written a web app!
• Yet something is missing…• Users!• How do we know who you
are?• Authentication
• How do we know what you are allowed to do?• Authorization
Web App authentication
• Many things can go wrong…• Authentication vulnerbailities are
considered as the #2 worst threat, right after Injections!
Authentication: OWASP Top 10
• Hide it from yourself • “Out-source” Auth!• Use an existing directory
Service• On the Internet: Google, Twitter, Live, etc.• On Windows networks: Active Directory
(AD)
• Plus get extra value: Single Sign on, Next Gen authentication, Central management, Etc.
If You Want to Keep a Secret…
Time for a Meme
• Active Directory (AD) is a directory service for Windows domain networks
• Domain Controller (DC) is the server that runs the Active Directory service.
• An AD Domain Controller authenticates and authorizes all users and computers
Active Directory
Active Directory in a Windows Network
Kerberos – Default AD Auth Protocol
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b
KDC
KDC
TGT
TGS
① AS-REQ
② AS-REP
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
• Authentication• Authorization
Graphics by Benjamin Delpy
• Salting• Goal: Same passwords, different users
= different keys• Create-Key(pw+salt)• AES uses the username for salt• RC4-HMAC don’t have any!
• “Key Stretching”• Goal: increase CPU load per password• AES uses PBKDF2= Thousands of SHA
rounds• RC4-HMAC don’t have any!
Deriving Keys from Passwords
Kerberos Authentication In DepthKDC
waza1234/
User1
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b
Graphics by Benjamin Delpy
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1
cc36cf7a…
1a7ddc…
Doe
① AS-REQ
Name: user1
Etype: DES,
RC4, AES128,
AES256
③ AS-REQ
PA-ENC-TS
Etype:AESTGT
② KERB-ERR
Pre-auth-REQ
Etype: RC4,AES
Salt:user1
④ AS-REP
TGT+Enc
Etype: AES
The Malware
• Attackers installed a malware on DC to authenticate to any user who uses the secret key
• Result:• Attacker can access with any user with the secret key• Users experience remains the same
The attack campaign
• Thanks to Mimikatz
Oh No, Skeleton Key for All!
• Attacker installs remotely malware• PSEXEC to DC• Domain admin credentials
• Malware changes several DC functions• Attacker deletes file from DC and other
computer
The Skeleton Key Malware: Deployment
KDC
• Extracts the psexec service which controls the command
• Copies the service and the command file over SMB
• Creates a new service that points to the file
• Starts the service to execute payload
PSEXEC Over the Wire
• “Adds” a “Skeleton key” to the key table• Only RC4-HMAC key = NTLM hash
• On authentication the “patched” KDC• see if the user’s key fits• If successful, announce the authentication to be successful and return• If not..
• Tries if the “skeleton key” fits• If successful, announce the authentication to be successful • If not, fail authentication
The Skeleton Key Malware on DC
• Due to salting AES keys from different users create different AES keys
• Attacker must either:• Compute AES keys in real time – lots of CPU• Compute in offline for all users – lots of memory
• Malicious patching becomes harder as attacker must intervene in more places to extract user context
• Attacker’s Solution: Downgrade to RC4
Why only RC4?
Mimikatz Skeleton : Patch New Enc-Keys
Check if newer keys exists
Locate newer keys
Patch newer keys
Acess lsass.exe memory
Mimikatz Skeleton : Re-route Functions
Locate functions (to re-route)
Inject patched functionsRe-route Init function
Re-route Decrypt function
The Skeleton Key Malware: Kerberos
KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
Graphics by Benjamin Delpy
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1
cc36cf7a…
1a7ddc…
① AS-REQ
Name: user1
Etype: DES,
RC4, AES128,
AES256
③ AS-REQ
PA-ENC-TS
Etype: RC4TGT
② KERB-ERR
Pre-auth-REQ
Etype: RC4,AES
Salt:user1
④ AS-REP
TGT+Enc
Etype: RC4
ff687678....
Skeleton
ff687678…
Detection
Automatically…• Learn entities and their context• Profile entity activities and behaviors• Build the entities interaction graph• Identify suspicious activities • Connect suspicious activities into an Attack Timeline™
How Microsoft ATA works
Detecting Remote Code Execution on DC
• Skeleton Key malware downgrades users’ encryption to RC4
• Let’s detect it!• We know the user should
be offered AES by DC • DC offered AES in the past• Judging by DFL and user’s capabilities
• Why only RC4 now?
Detecting a Skeleton Key Malware
Detecting Skeleton Key
• The script:• Verifies whether the DFL is relevant (>=2008)• Finds an AES supporting account (msds-supportedencryptiontypes>=8)• Sends an AS-REQ to all DCs with only AES E-type supported• If it fails, then there’s a good chance the DC is infected
• Publicly available for download
Detecting with a script
Script Detects the Skeleton Key Malware
• Advanced attackers will target your DC - Protect it!
• Downloads• script: https
://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
• Advanced Threat Analytics Preview Evaluation (90 days) https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
Takeaways
Questions?
• Mail• {igrady,talbe} at Microsoft.com
• Twitter• @TalBeerySec• @ItaiGrady
More Questions? Contact us!