Download - Skeleton key malware detection owasp
![Page 1: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/1.jpg)
Itai Grady & Tal Be’eryResearch Team, Aorato, Microsoft{igrady,talbe} at Microsoft.com
One Key to Rule Them All: Detecting the Skeleton Key Malware
OWASP IL, June 2015
![Page 2: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/2.jpg)
![Page 3: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/3.jpg)
• Intro• Web Apps and Authentication• Authentication in Windows
Environment:• Active Directory (AD) & Domain Controller
(DC), Kerberos Authentication
• The Skeleton Key malware• Deployment, Patching DC, RC4
downgrade
• Detection• Advanced Threat Analytics (ATA) intro• ATA detections:• Remote Code Execution on DC• Skeleton Key Malware detection
• Script based Skeleton Key Malware detection
Agenda
![Page 4: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/4.jpg)
Intro
![Page 5: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/5.jpg)
• So you had written a web app!
• Yet something is missing…• Users!• How do we know who you
are?• Authentication
• How do we know what you are allowed to do?• Authorization
Web App authentication
![Page 6: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/6.jpg)
• Many things can go wrong…• Authentication vulnerbailities are
considered as the #2 worst threat, right after Injections!
Authentication: OWASP Top 10
![Page 7: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/7.jpg)
• Hide it from yourself • “Out-source” Auth!• Use an existing directory
Service• On the Internet: Google, Twitter, Live, etc.• On Windows networks: Active Directory
(AD)
• Plus get extra value: Single Sign on, Next Gen authentication, Central management, Etc.
If You Want to Keep a Secret…
![Page 8: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/8.jpg)
Time for a Meme
![Page 9: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/9.jpg)
• Active Directory (AD) is a directory service for Windows domain networks
• Domain Controller (DC) is the server that runs the Active Directory service.
• An AD Domain Controller authenticates and authorizes all users and computers
Active Directory
![Page 10: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/10.jpg)
Active Directory in a Windows Network
![Page 11: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/11.jpg)
Kerberos – Default AD Auth Protocol
waza1234/
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b
KDC
KDC
TGT
TGS
① AS-REQ
② AS-REP
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
• Authentication• Authorization
Graphics by Benjamin Delpy
![Page 12: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/12.jpg)
• Salting• Goal: Same passwords, different users
= different keys• Create-Key(pw+salt)• AES uses the username for salt• RC4-HMAC don’t have any!
• “Key Stretching”• Goal: increase CPU load per password• AES uses PBKDF2= Thousands of SHA
rounds• RC4-HMAC don’t have any!
Deriving Keys from Passwords
![Page 13: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/13.jpg)
Kerberos Authentication In DepthKDC
waza1234/
User1
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b
Graphics by Benjamin Delpy
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1
cc36cf7a…
1a7ddc…
Doe
① AS-REQ
Name: user1
Etype: DES,
RC4, AES128,
AES256
③ AS-REQ
PA-ENC-TS
Etype:AESTGT
② KERB-ERR
Pre-auth-REQ
Etype: RC4,AES
Salt:user1
④ AS-REP
TGT+Enc
Etype: AES
![Page 14: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/14.jpg)
The Malware
![Page 15: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/15.jpg)
• Attackers installed a malware on DC to authenticate to any user who uses the secret key
• Result:• Attacker can access with any user with the secret key• Users experience remains the same
The attack campaign
![Page 16: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/16.jpg)
• Thanks to Mimikatz
Oh No, Skeleton Key for All!
![Page 17: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/17.jpg)
• Attacker installs remotely malware• PSEXEC to DC• Domain admin credentials
• Malware changes several DC functions• Attacker deletes file from DC and other
computer
The Skeleton Key Malware: Deployment
KDC
![Page 18: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/18.jpg)
• Extracts the psexec service which controls the command
• Copies the service and the command file over SMB
• Creates a new service that points to the file
• Starts the service to execute payload
PSEXEC Over the Wire
![Page 19: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/19.jpg)
• “Adds” a “Skeleton key” to the key table• Only RC4-HMAC key = NTLM hash
• On authentication the “patched” KDC• see if the user’s key fits• If successful, announce the authentication to be successful and return• If not..
• Tries if the “skeleton key” fits• If successful, announce the authentication to be successful • If not, fail authentication
The Skeleton Key Malware on DC
![Page 20: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/20.jpg)
• Due to salting AES keys from different users create different AES keys
• Attacker must either:• Compute AES keys in real time – lots of CPU• Compute in offline for all users – lots of memory
• Malicious patching becomes harder as attacker must intervene in more places to extract user context
• Attacker’s Solution: Downgrade to RC4
Why only RC4?
![Page 21: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/21.jpg)
Mimikatz Skeleton : Patch New Enc-Keys
Check if newer keys exists
Locate newer keys
Patch newer keys
Acess lsass.exe memory
![Page 22: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/22.jpg)
Mimikatz Skeleton : Re-route Functions
Locate functions (to re-route)
Inject patched functionsRe-route Init function
Re-route Decrypt function
![Page 23: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/23.jpg)
The Skeleton Key Malware: Kerberos
KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
Graphics by Benjamin Delpy
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..
user1
cc36cf7a…
1a7ddc…
① AS-REQ
Name: user1
Etype: DES,
RC4, AES128,
AES256
③ AS-REQ
PA-ENC-TS
Etype: RC4TGT
② KERB-ERR
Pre-auth-REQ
Etype: RC4,AES
Salt:user1
④ AS-REP
TGT+Enc
Etype: RC4
ff687678....
Skeleton
ff687678…
![Page 24: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/24.jpg)
Detection
![Page 25: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/25.jpg)
Automatically…• Learn entities and their context• Profile entity activities and behaviors• Build the entities interaction graph• Identify suspicious activities • Connect suspicious activities into an Attack Timeline™
How Microsoft ATA works
![Page 26: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/26.jpg)
Detecting Remote Code Execution on DC
![Page 27: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/27.jpg)
• Skeleton Key malware downgrades users’ encryption to RC4
• Let’s detect it!• We know the user should
be offered AES by DC • DC offered AES in the past• Judging by DFL and user’s capabilities
• Why only RC4 now?
Detecting a Skeleton Key Malware
![Page 28: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/28.jpg)
Detecting Skeleton Key
![Page 29: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/29.jpg)
• The script:• Verifies whether the DFL is relevant (>=2008)• Finds an AES supporting account (msds-supportedencryptiontypes>=8)• Sends an AS-REQ to all DCs with only AES E-type supported• If it fails, then there’s a good chance the DC is infected
• Publicly available for download
Detecting with a script
![Page 30: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/30.jpg)
Script Detects the Skeleton Key Malware
![Page 31: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/31.jpg)
• Advanced attackers will target your DC - Protect it!
• Downloads• script: https
://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
• Advanced Threat Analytics Preview Evaluation (90 days) https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
Takeaways
![Page 32: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/32.jpg)
![Page 33: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/33.jpg)
Questions?
![Page 34: Skeleton key malware detection owasp](https://reader033.vdocuments.net/reader033/viewer/2022050723/55c9007abb61eb00538b46cd/html5/thumbnails/34.jpg)
• Mail• {igrady,talbe} at Microsoft.com
• Twitter• @TalBeerySec• @ItaiGrady
More Questions? Contact us!