One Key to Rule Them All: Detecting the Skeleton Key Malware

48
Itai Grady & Tal Be’ery Research Team, Aorato, Microsoft {igrady,talbe} at Microsoft.com One Key to Rule Them All: Detecting the Skeleton Key Malware TCE2015 Summer School, September 2015

Transcript of One Key to Rule Them All: Detecting the Skeleton Key Malware

Page 1: One Key to Rule Them All: Detecting the Skeleton Key Malware

Itai Grady & Tal Be’eryResearch Team, Aorato, Microsoft{igrady,talbe} at Microsoft.com

One Key to Rule Them All: Detecting the Skeleton Key Malware

TCE2015 Summer School, September 2015

Page 2: One Key to Rule Them All: Detecting the Skeleton Key Malware
Page 3: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Intro• The Villain: Advanced attackers• The Damsel: Authentication in Windows• Active Directory (AD), Domain Controller (DC)

• Damsel in distress: Advanced attackers targeting the DC

• The Skeleton Key malware• Skeleton Key malware in action, Kerberos

subverted, RC4 downgrade, remote deployment• Detection• Knight in shining Armor: Advanced Threat Analytics

(ATA)• Network Monitoring (ATA) based detections• Scanner based detection

Agenda

Page 4: One Key to Rule Them All: Detecting the Skeleton Key Malware

The villain

Page 5: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Victim is targeted• Not chosen by random

• Internal network campaign• End Goal: The organization’s

secrets• Customer’s credit cards• Financial results• Yet-to-be published movies • Source code

Advanced Attackers

http://www.tibco.com/blog/wp-content/uploads/2013/01/Hackers-With-An-Agenda.jpg

Page 6: One Key to Rule Them All: Detecting the Skeleton Key Malware

• TTP = Techniques Tactics Procedures• The “Cyber Kill-chain” (Lockheed Martin)

Advanced Attackers TTPs

Page 7: One Key to Rule Them All: Detecting the Skeleton Key Malware

The Damsel

Page 8: One Key to Rule Them All: Detecting the Skeleton Key Malware

• How do we know who you are?• Authentication

• How do we know what you are allowed to do?• Authorization

Authentication & Authorization

Page 9: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Central Management for identities

• Authentication• Stores credentials: passwords, certificates,

biometrics• Implements authentication protocols• Single Sign On (SSO) Token

• Authorization• Roles, group membership

• Directory Services examples:• On the Internet: Google, Twitter, Live, etc.• On Windows networks: Active Directory (AD)

Directory Services

Page 10: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Active Directory (AD) is a directory service for Windows domain networks

• Domain Controller (DC) is the server that runs the Active Directory service.

• An AD Domain Controller authenticates and authorizes all users and computers

• Kerberos is AD’s default authentication protocol

Active Directory

Page 11: One Key to Rule Them All: Detecting the Skeleton Key Malware

Active Directory in a Windows Network

Page 12: One Key to Rule Them All: Detecting the Skeleton Key Malware

The Damsel in Distress

Page 13: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Credentials & Authentication

• Full network access• Diskless Persistency

Why do Advanced Attackers Target DCs?

Page 14: One Key to Rule Them All: Detecting the Skeleton Key Malware

• DC holds the “keys to the kingdom”• All keys = Full access • Plus special keys (“Master Key”)

• DC handles all authentication• Attackers can subvert the authentication algorithm

DC holds all credentials

Page 15: One Key to Rule Them All: Detecting the Skeleton Key Malware

• DC connection graph is of a star topology• Attackers can move to other targets• No firewall issues• No network anomalies (At least in high level)

DC Talks to Everyone

Page 16: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Normally, to achieve persistency, malware needs to write something to Disk

• Disk is much more exposed to scrutiny • DC is critical for normal network operations,

thus (almost) never booted• Therefore, DC resident malware can be

diskless and persistent

DC (almost) Never Sleeps

Page 17: One Key to Rule Them All: Detecting the Skeleton Key Malware

The Malware

Page 18: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Attackers installed a malware on DC that adds a secret “Skeleton Key” to authentication

• Result:• Attacker can access any computer/server/resource, as any user, by

using the secret key• Normal user’s experience remains the same

The attack campaign

Page 19: One Key to Rule Them All: Detecting the Skeleton Key Malware

• admin123 = real admin password• P@$$w0rd1 = villain’s password

Skeleton Key Malware Effects Demo

Page 20: One Key to Rule Them All: Detecting the Skeleton Key Malware

admin123

Page 21: One Key to Rule Them All: Detecting the Skeleton Key Malware
Page 22: One Key to Rule Them All: Detecting the Skeleton Key Malware

wrongpassword

Malware not installed on DC

Page 23: One Key to Rule Them All: Detecting the Skeleton Key Malware
Page 24: One Key to Rule Them All: Detecting the Skeleton Key Malware

P@$$w0rd1

Malware installed on DC

Page 25: One Key to Rule Them All: Detecting the Skeleton Key Malware
Page 26: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Thanks to MimikatzOh No, Skeleton Key for All!

Page 27: One Key to Rule Them All: Detecting the Skeleton Key Malware

Kerberos – Default AD Auth Protocol

admin123

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b

KDC

KDC

TGT

TGS

① AS-REQ

② AS-REP

③ TGS-REQ (Server)

④ TGS-REP

⑤ UsageUser

Server

• Authentication• Authorization

Graphics by Benjamin Delpy

Page 28: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Salting• Goal: Same passwords, different users

= different keys• Create-Key(pw+salt)• AES uses the username for salt• RC4-HMAC doesn’t have any!

• “Key Stretching”• Goal: increase CPU load per password• AES uses PBKDF2= Thousands of SHA

rounds• RC4-HMAC doesn’t have any!

AES vs. RC4: Password Key Derivation

Page 29: One Key to Rule Them All: Detecting the Skeleton Key Malware

Kerberos Encryption HandshakeKDC

admin123

User1

des_cbc_md5 f8fd987fa7153185

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

cc36cf7a8514893efccd332446158b1a

aes128_hmac 8451bb37aa6d7ce3d2a5c2d24d317af3

aes256_hmac1a7ddce7264573ae1f498ff41614cc78001cbf6e3142857cce2566ce74a7f25b

Graphics by Benjamin Delpy

user rc4_hmac_nt

aes256_hmac

Joe 21321… 543..user1

cc36cf7a…

1a7ddc…

Doe

① AS-REQ

Name: user1

Etype: DES,

RC4, AES128,

AES256

③ AS-REQ

PA-ENC-TS

Etype:AESTGT

② KERB-ERR

Pre-auth-REQ

Etype: RC4,AES

Salt:user1

④ AS-REP

TGT+Enc

Etype: AES

Page 30: One Key to Rule Them All: Detecting the Skeleton Key Malware

Kerberos Authentication: Over the Wire

Page 31: One Key to Rule Them All: Detecting the Skeleton Key Malware

• “Adds” a “Skeleton key” to the key table• Only RC4-HMAC key

• On authentication, the “patched” DC:• Sees if the user’s key fits• If successful, announce the authentication to be successful and return• If not..

• Tries if the “skeleton key” fits• If successful, announce the authentication to be successful • If not, fail authentication

The Skeleton Key Malware on DC

Page 32: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Due to salting AES keys from different users create different AES keys

• Attacker must either:• Compute AES keys in real time – lots of CPU• Compute in offline for all users – lots of memory

• Malicious patching becomes harder as attacker must intervene in more places to extract user context

• Attacker’s Solution: Downgrade to RC4

Why only RC4?

Page 33: One Key to Rule Them All: Detecting the Skeleton Key Malware

The Skeleton Key Malware: Kerberos

KDC

User1

des_cbc_md5

LSASS (kerberos)

rc4_hmac_nt(NTLM/md4)

aes128_hmac

aes256_hmac

Graphics by Benjamin Delpy

user rc4_hmac_nt

aes256_hmac

Joe 21321… 543..user1

cc36cf7a…

1a7ddc…

① AS-REQ

Name: user1

Etype: DES,

RC4, AES128,

AES256

③ AS-REQ

PA-ENC-TS

Etype: RC4TGT

② KERB-ERR

Pre-auth-REQ

Etype: RC4,AES

Salt:user1

④ AS-REP

TGT+Enc

Etype: RC4

ff687678....

Pa$$w0rd1

ff687678…

Page 34: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Attacker remotely installs malware• PSEXEC to DC• Domain admin credentials

• Malware changes several DC functions• Attacker deletes file from DC and other

computer

The Skeleton Key Malware: Deployment

KDC

Page 35: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Extracts the psexec service which controls the command

• Copies the service and the command file over SMB

• Creates a new service that points to the file

• Starts the service to execute payload

PSEXEC Over the Wire

Page 36: One Key to Rule Them All: Detecting the Skeleton Key Malware

Detection

Page 37: One Key to Rule Them All: Detecting the Skeleton Key Malware

Automatically…• Learn entities and their context• Profile entity activities and behaviors• Build the entities interaction graph• Identify suspicious activities • Connect suspicious activities into an Attack Timeline™

How Microsoft ATA works

Page 38: One Key to Rule Them All: Detecting the Skeleton Key Malware

Microsoft Advanced Threat Analytics1

ATA Analyzes all Active Directory-related traffic and collects relevant events from SIEM

3

ATA Builds the organizational security graph, detects abnormal behavior, protocol attacks and weaknesses and constructs an attack timeline

2

ATA automatically learns all entities’ behaviors

ANALYZE LEARN DETECT

Page 39: One Key to Rule Them All: Detecting the Skeleton Key Malware

Attack Timeline™

Abnormal Behavior• Anomalous logins• Abnormal behavior• Unknown threats• Password sharing• Lateral-movement

Security Risks• Weak Protocols• Known protocol

vulnerabilities• Broken Trust

Attacks in real-time• Pass-the-Ticket (PtT)• Pass-the-Hash (PtH)• Forged PAC (MS14-068)• Reconnaissance• Bruteforce

1

2

3

Page 40: One Key to Rule Them All: Detecting the Skeleton Key Malware

Detecting Remote Code Execution on DC

Page 41: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Skeleton Key malware downgrades users’ encryption to RC4

• Let’s detect it!• We know the user should

be offered AES by DC • DC offered AES in the past• Judging by DFL and user’s capabilities

• Why only RC4 now?

Network Monitoring Based Detection

Page 42: One Key to Rule Them All: Detecting the Skeleton Key Malware

ATA Network Monitoring Based Detection

Page 43: One Key to Rule Them All: Detecting the Skeleton Key Malware

• The scanner:• Verifies whether the DFL is relevant (>=2008)• Finds an AES supporting account (msds-supportedencryptiontypes>=8)• Sends an AS-REQ to all DCs with only AES E-type supported• If it fails, then there’s a good chance the DC is infected

• Publicly available for download• https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

Scanner Based Detection

Page 44: One Key to Rule Them All: Detecting the Skeleton Key Malware

Scanner Based Detection Demo

Page 46: One Key to Rule Them All: Detecting the Skeleton Key Malware
Page 47: One Key to Rule Them All: Detecting the Skeleton Key Malware

Questions?

Page 48: One Key to Rule Them All: Detecting the Skeleton Key Malware

• Mail• {igrady,talbe} at Microsoft.com

• Twitter• @TalBeerySec• @ItaiGrady

More Questions? Contact us!