One Key to Rule Them All: Detecting the Skeleton Key Malware
Identity is one of the cornerstones of application security. On windows domains, identity is managed through Active Directory (AD) Domain service on the Domain Controller (DC). Therefore, it should come as no surprise that advanced attackers are actively targeting the DC. Earlier this year, Dell Secureworks had shared a report on an advanced attack campaign utilizing a dedicated DC malware, named “Skeleton Key” Malware. The Skeleton Key malware modifies the DC behavior to accept authentications specifying a secret ”Skeleton key” (i.e. “master key”) password, thus enabling the attackers to login from any computer as any domain user without installing any additional malware while keeping the original users’ authentication behavior. On this talk, we will explore the unique interaction between such malware functionality and the Kerberos authentication protocol; We will put a special emphasis on its manifestation over the network traffic. We will also share a script that implements the remotes detection of the skeleton key malware functionality. The talk was given on TCE2015 summer school, Technion, Israel
One Key to Rule Them All: Detecting the Skeleton Key Malware
- 1. TCE2015 Summer School, September 2015
- 3. • The Villain: • The Damsel: • Damsel in distress: • Knight in shining Armor:
- 20. admin123
- 22. wrongpassword
- 24. P@$$w0rd1
- 27. admin 123 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ (Server) ④ TGS-REP ⑤ Usage User Server
- 28. • AES uses the username for salt • RC4-HMAC doesn’t have any! • AES uses PBKDF2= Thousands of SHA rounds • RC4-HMAC doesn’t have any!
- 29. KDC admin 123 User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b user rc4_hmac _nt aes256_ hmac Joe 21321… 543.. user1 cc36cf7a … 1a7ddc … Doe TGT
- 33. KDC User1 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac user rc4_hmac _nt aes256_ hmac Joe 21321… 543.. user1 cc36cf7a … 1a7ddc … TGT ff687678.... Pa$$w0rd1 ff687678…
- 34. KDC
- 37. Automatically… • Learn entities and their context • Profile entity activities and behaviors • Build the entities interaction graph • Identify suspicious activities • Connect suspicious activities into an Attack Timeline™ How Microsoft ATA works
- 38. 1 ATA Analyzes all Active Directory- related traffic and collects relevant events from SIEM 3 ATA Builds the organizational security graph, detects abnormal behavior, protocol attacks and weaknesses and constructs an attack timeline 2 ATA automatically learns all entities’ behaviors ANALYZE LEARN DETECT
- 39. Abnormal Behavior • Anomalous logins • Abnormal behavior • Unknown threats • Password sharing • Lateral-movement Security Risks • Weak Protocols • Known protocol vulnerabilities • Broken Trust Attacksinreal-time • Pass-the-Ticket (PtT) • Pass-the-Hash (PtH) • Forged PAC (MS14-068) • Reconnaissance • Bruteforce 1 2 3
Editor's Notes
- http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf http://image.slidesharecdn.com/pivotaldatalakearchitectureitsroleinsecurityanalytics-140707093240-phpapp02/95/pivotal-data-lake-architecture-its-role-in-security-analytics-7-638.jpg?cb=1415961449
- http://images.rapgenius.com/995335ab10386f992dde5f3797e92c65.1000x682x1.jpg
- NTLM relay talk 2014 by Oren Ofer
- 3 Data sources – Network traffic, AD data and SIEM events Create traps (Honeytokens) to mislead attackers
- Classifying the SAs to 3 types - Risks (Misconfiguration), Deterministic and Behavioral based (Who access what and when)