one key to rule them all: detecting the skeleton key malware
TRANSCRIPT
Itai Grady & Tal Be’eryResearch Team, Aorato, Microsoft{igrady,talbe} at Microsoft.com
One Key to Rule Them All: Detecting the Skeleton Key Malware
TCE2015 Summer School, September 2015
• Intro• The Villain: Advanced attackers• The Damsel: Authentication in Windows• Active Directory (AD), Domain Controller (DC)
• Damsel in distress: Advanced attackers targeting the DC
• The Skeleton Key malware• Skeleton Key malware in action, Kerberos
subverted, RC4 downgrade, remote deployment• Detection• Knight in shining Armor: Advanced Threat Analytics
(ATA)• Network Monitoring (ATA) based detections• Scanner based detection
Agenda
The villain
• Victim is targeted• Not chosen by random
• Internal network campaign• End Goal: The organization’s
secrets• Customer’s credit cards• Financial results• Yet-to-be published movies • Source code
Advanced Attackers
http://www.tibco.com/blog/wp-content/uploads/2013/01/Hackers-With-An-Agenda.jpg
• TTP = Techniques Tactics Procedures• The “Cyber Kill-chain” (Lockheed Martin)
Advanced Attackers TTPs
The Damsel
• How do we know who you are?• Authentication
• How do we know what you are allowed to do?• Authorization
Authentication & Authorization
• Central Management for identities
• Authentication• Stores credentials: passwords, certificates,
biometrics• Implements authentication protocols• Single Sign On (SSO) Token
• Authorization• Roles, group membership
• Directory Services examples:• On the Internet: Google, Twitter, Live, etc.• On Windows networks: Active Directory (AD)
Directory Services
• Active Directory (AD) is a directory service for Windows domain networks
• Domain Controller (DC) is the server that runs the Active Directory service.
• An AD Domain Controller authenticates and authorizes all users and computers
• Kerberos is AD’s default authentication protocol
Active Directory
Active Directory in a Windows Network
The Damsel in Distress
• Credentials & Authentication
• Full network access• Diskless Persistency
Why do Advanced Attackers Target DCs?
• DC holds the “keys to the kingdom”• All keys = Full access • Plus special keys (“Master Key”)
• DC handles all authentication• Attackers can subvert the authentication algorithm
DC holds all credentials
• DC connection graph is of a star topology• Attackers can move to other targets• No firewall issues• No network anomalies (At least in high level)
DC Talks to Everyone
• Normally, to achieve persistency, malware needs to write something to Disk
• Disk is much more exposed to scrutiny • DC is critical for normal network operations,
thus (almost) never booted• Therefore, DC resident malware can be
diskless and persistent
DC (almost) Never Sleeps
The Malware
• Attackers installed a malware on DC that adds a secret “Skeleton Key” to authentication
• Result:• Attacker can access any computer/server/resource, as any user, by
using the secret key• Normal user’s experience remains the same
The attack campaign
• admin123 = real admin password• P@$$w0rd1 = villain’s password
Skeleton Key Malware Effects Demo
admin123
wrongpassword
Malware not installed on DC
P@$$w0rd1
Malware installed on DC
• Thanks to MimikatzOh No, Skeleton Key for All!
Kerberos – Default AD Auth Protocol
admin123
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b
KDC
KDC
TGT
TGS
① AS-REQ
② AS-REP
③ TGS-REQ (Server)
④ TGS-REP
⑤ UsageUser
Server
• Authentication• Authorization
Graphics by Benjamin Delpy
• Salting• Goal: Same passwords, different users
= different keys• Create-Key(pw+salt)• AES uses the username for salt• RC4-HMAC doesn’t have any!
• “Key Stretching”• Goal: increase CPU load per password• AES uses PBKDF2= Thousands of SHA
rounds• RC4-HMAC doesn’t have any!
AES vs. RC4: Password Key Derivation
Kerberos Encryption HandshakeKDC
admin123
User1
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
cc36cf7a8514893efccd332446158b1a
aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3
aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b
Graphics by Benjamin Delpy
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..user1
cc36cf7a…
1a7ddc…
Doe
① AS-REQ
Name: user1
Etype: DES,
RC4, AES128,
AES256
③ AS-REQ
PA-ENC-TS
Etype:AESTGT
② KERB-ERR
Pre-auth-REQ
Etype: RC4,AES
Salt:user1
④ AS-REP
TGT+Enc
Etype: AES
Kerberos Authentication: Over the Wire
• “Adds” a “Skeleton key” to the key table• Only RC4-HMAC key
• On authentication, the “patched” DC:• Sees if the user’s key fits• If successful, announce the authentication to be successful and return• If not..
• Tries if the “skeleton key” fits• If successful, announce the authentication to be successful • If not, fail authentication
The Skeleton Key Malware on DC
• Due to salting AES keys from different users create different AES keys
• Attacker must either:• Compute AES keys in real time – lots of CPU• Compute in offline for all users – lots of memory
• Malicious patching becomes harder as attacker must intervene in more places to extract user context
• Attacker’s Solution: Downgrade to RC4
Why only RC4?
The Skeleton Key Malware: Kerberos
KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt(NTLM/md4)
aes128_hmac
aes256_hmac
Graphics by Benjamin Delpy
user rc4_hmac_nt
aes256_hmac
Joe 21321… 543..user1
cc36cf7a…
1a7ddc…
① AS-REQ
Name: user1
Etype: DES,
RC4, AES128,
AES256
③ AS-REQ
PA-ENC-TS
Etype: RC4TGT
② KERB-ERR
Pre-auth-REQ
Etype: RC4,AES
Salt:user1
④ AS-REP
TGT+Enc
Etype: RC4
ff687678....
Pa$$w0rd1
ff687678…
• Attacker remotely installs malware• PSEXEC to DC• Domain admin credentials
• Malware changes several DC functions• Attacker deletes file from DC and other
computer
The Skeleton Key Malware: Deployment
KDC
• Extracts the psexec service which controls the command
• Copies the service and the command file over SMB
• Creates a new service that points to the file
• Starts the service to execute payload
PSEXEC Over the Wire
Detection
Automatically…• Learn entities and their context• Profile entity activities and behaviors• Build the entities interaction graph• Identify suspicious activities • Connect suspicious activities into an Attack Timeline™
How Microsoft ATA works
Microsoft Advanced Threat Analytics1
ATA Analyzes all Active Directory-related traffic and collects relevant events from SIEM
3
ATA Builds the organizational security graph, detects abnormal behavior, protocol attacks and weaknesses and constructs an attack timeline
2
ATA automatically learns all entities’ behaviors
ANALYZE LEARN DETECT
Attack Timeline™
Abnormal Behavior• Anomalous logins• Abnormal behavior• Unknown threats• Password sharing• Lateral-movement
Security Risks• Weak Protocols• Known protocol
vulnerabilities• Broken Trust
Attacks in real-time• Pass-the-Ticket (PtT)• Pass-the-Hash (PtH)• Forged PAC (MS14-068)• Reconnaissance• Bruteforce
1
2
3
Detecting Remote Code Execution on DC
• Skeleton Key malware downgrades users’ encryption to RC4
• Let’s detect it!• We know the user should
be offered AES by DC • DC offered AES in the past• Judging by DFL and user’s capabilities
• Why only RC4 now?
Network Monitoring Based Detection
ATA Network Monitoring Based Detection
• The scanner:• Verifies whether the DFL is relevant (>=2008)• Finds an AES supporting account (msds-supportedencryptiontypes>=8)• Sends an AS-REQ to all DCs with only AES E-type supported• If it fails, then there’s a good chance the DC is infected
• Publicly available for download• https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
Scanner Based Detection
Scanner Based Detection Demo
• Advanced attackers will target your DC - Protect it!
• Downloads• Scanner: https
://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
• Advanced Threat Analytics Preview Evaluation (90 days) https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
Takeaways
Questions?
• Mail• {igrady,talbe} at Microsoft.com
• Twitter• @TalBeerySec• @ItaiGrady
More Questions? Contact us!