34
Itai Grady & Tal Be’ery Research Team, Aorato, Microsoft {igrady,talbe} at Microsoft.com One Key to Rule Them All: Detecting the Skeleton Key Malware OWASP IL, June 2015

Skeleton key malware detection owasp

Embed Size (px)

Citation preview

Page 1: Skeleton key malware detection owasp

Itai Grady & Tal Be’eryResearch Team, Aorato, Microsoft{igrady,talbe} at Microsoft.com

One Key to Rule Them All: Detecting the Skeleton Key Malware

OWASP IL, June 2015

Page 2: Skeleton key malware detection owasp
Page 3: Skeleton key malware detection owasp

• Intro• Web Apps and Authentication• Authentication in Windows

Environment:• Active Directory (AD) & Domain Controller

(DC), Kerberos Authentication

• The Skeleton Key malware• Deployment, Patching DC, RC4

downgrade

• Detection• Advanced Threat Analytics (ATA) intro• ATA detections:• Remote Code Execution on DC• Skeleton Key Malware detection

• Script based Skeleton Key Malware detection

Agenda

Page 4: Skeleton key malware detection owasp

Intro

Page 5: Skeleton key malware detection owasp

• So you had written a web app!

• Yet something is missing…• Users!• How do we know who you

are?• Authentication

• How do we know what you are allowed to do?• Authorization

Web App authentication

Page 6: Skeleton key malware detection owasp

• Many things can go wrong…• Authentication vulnerbailities are

considered as the #2 worst threat, right after Injections!

Authentication: OWASP Top 10

Page 7: Skeleton key malware detection owasp

• Hide it from yourself • “Out-source” Auth!• Use an existing directory

Service• On the Internet: Google, Twitter, Live, etc.• On Windows networks: Active Directory

(AD)

• Plus get extra value: Single Sign on, Next Gen authentication, Central management, Etc.

If You Want to Keep a Secret…

Page 8: Skeleton key malware detection owasp

Time for a Meme

Page 9: Skeleton key malware detection owasp

• Active Directory (AD) is a directory service for Windows domain networks

• Domain Controller (DC) is the server that runs the Active Directory service.

• An AD Domain Controller authenticates and authorizes all users and computers

Active Directory

Page 10: Skeleton key malware detection owasp

Active Directory in a Windows Network

Page 11: Skeleton key malware detection owasp

Kerberos – Default AD Auth Protocol

waza1234/

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b

KDC

KDC

TGT

TGS

① AS-REQ

② AS-REP

③ TGS-REQ (Server)

④ TGS-REP

⑤ UsageUser

Server

• Authentication• Authorization

Graphics by Benjamin Delpy

Page 12: Skeleton key malware detection owasp

• Salting• Goal: Same passwords, different users

= different keys• Create-Key(pw+salt)• AES uses the username for salt• RC4-HMAC don’t have any!

• “Key Stretching”• Goal: increase CPU load per password• AES uses PBKDF2= Thousands of SHA

rounds• RC4-HMAC don’t have any!

Deriving Keys from Passwords

Page 13: Skeleton key malware detection owasp

Kerberos Authentication In DepthKDC

waza1234/

User1

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b

Graphics by Benjamin Delpy

user rc4_hmac_nt

aes256_hmac

Joe 21321… 543..

user1

cc36cf7a…

1a7ddc…

Doe

① AS-REQ

Name: user1

Etype: DES,

RC4, AES128,

AES256

③ AS-REQ

PA-ENC-TS

Etype:AESTGT

② KERB-ERR

Pre-auth-REQ

Etype: RC4,AES

Salt:user1

④ AS-REP

TGT+Enc

Etype: AES

Page 14: Skeleton key malware detection owasp

The Malware

Page 15: Skeleton key malware detection owasp

• Attackers installed a malware on DC to authenticate to any user who uses the secret key

• Result:• Attacker can access with any user with the secret key• Users experience remains the same

The attack campaign

Page 16: Skeleton key malware detection owasp

• Thanks to Mimikatz

Oh No, Skeleton Key for All!

Page 17: Skeleton key malware detection owasp

• Attacker installs remotely malware• PSEXEC to DC• Domain admin credentials

• Malware changes several DC functions• Attacker deletes file from DC and other

computer

The Skeleton Key Malware: Deployment

KDC

Page 18: Skeleton key malware detection owasp

• Extracts the psexec service which controls the command

• Copies the service and the command file over SMB

• Creates a new service that points to the file

• Starts the service to execute payload

PSEXEC Over the Wire

Page 19: Skeleton key malware detection owasp

• “Adds” a “Skeleton key” to the key table• Only RC4-HMAC key = NTLM hash

• On authentication the “patched” KDC• see if the user’s key fits• If successful, announce the authentication to be successful and return• If not..

• Tries if the “skeleton key” fits• If successful, announce the authentication to be successful • If not, fail authentication

The Skeleton Key Malware on DC

Page 20: Skeleton key malware detection owasp

• Due to salting AES keys from different users create different AES keys

• Attacker must either:• Compute AES keys in real time – lots of CPU• Compute in offline for all users – lots of memory

• Malicious patching becomes harder as attacker must intervene in more places to extract user context

• Attacker’s Solution: Downgrade to RC4

Why only RC4?

Page 21: Skeleton key malware detection owasp

Mimikatz Skeleton : Patch New Enc-Keys

Check if newer keys exists

Locate newer keys

Patch newer keys

Acess lsass.exe memory

Page 22: Skeleton key malware detection owasp

Mimikatz Skeleton : Re-route Functions

Locate functions (to re-route)

Inject patched functionsRe-route Init function

Re-route Decrypt function

Page 23: Skeleton key malware detection owasp

The Skeleton Key Malware: Kerberos

KDC

User1

des_cbc_md5

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

aes128_hmac

aes256_hmac

Graphics by Benjamin Delpy

user rc4_hmac_nt

aes256_hmac

Joe 21321… 543..

user1

cc36cf7a…

1a7ddc…

① AS-REQ

Name: user1

Etype: DES,

RC4, AES128,

AES256

③ AS-REQ

PA-ENC-TS

Etype: RC4TGT

② KERB-ERR

Pre-auth-REQ

Etype: RC4,AES

Salt:user1

④ AS-REP

TGT+Enc

Etype: RC4

ff687678....

Skeleton

ff687678…

Page 24: Skeleton key malware detection owasp

Detection

Page 25: Skeleton key malware detection owasp

Automatically…• Learn entities and their context• Profile entity activities and behaviors• Build the entities interaction graph• Identify suspicious activities • Connect suspicious activities into an Attack Timeline™

How Microsoft ATA works

Page 26: Skeleton key malware detection owasp

Detecting Remote Code Execution on DC

Page 27: Skeleton key malware detection owasp

• Skeleton Key malware downgrades users’ encryption to RC4

• Let’s detect it!• We know the user should

be offered AES by DC • DC offered AES in the past• Judging by DFL and user’s capabilities

• Why only RC4 now?

Detecting a Skeleton Key Malware

Page 28: Skeleton key malware detection owasp

Detecting Skeleton Key

Page 29: Skeleton key malware detection owasp

• The script:• Verifies whether the DFL is relevant (>=2008)• Finds an AES supporting account (msds-supportedencryptiontypes>=8)• Sends an AS-REQ to all DCs with only AES E-type supported• If it fails, then there’s a good chance the DC is infected

• Publicly available for download

Detecting with a script

Page 30: Skeleton key malware detection owasp

Script Detects the Skeleton Key Malware

Page 32: Skeleton key malware detection owasp
Page 33: Skeleton key malware detection owasp

Questions?

Page 34: Skeleton key malware detection owasp

• Mail• {igrady,talbe} at Microsoft.com

• Twitter• @TalBeerySec• @ItaiGrady

More Questions? Contact us!