Analysis of Malicious Security Support Provider DLLs



Similar documents
Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

give me the password and I'll rule the world dpapi, what else?

mimikatz 2.0 Benjamin DELPY `gentilkiwi`

Configuring Authentication for Microsoft Windows

Pass-the-Hash II: Admin s Revenge. Skip Duckwall & Chris Campbell

Michael Mayer-Gishyan NSA IT Consulting From Zero to Hero. Domain Admin in einem Tag

Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection

Windows security for n00bs part 1 Security architecture & Access Control

Persistence Mechanisms as Indicators of Compromise

Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection

MS-55096: Securing Data on Microsoft SQL Server 2012

STARTER KIT. Infoblox DNS Firewall for FireEye

Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List

VMware Horizon View for SMS PASSCODE SMS PASSCODE 2014

Securing Data on Microsoft SQL Server 2012

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

Locking down a Hitachi ID Suite server

Creating a User Profile for Outlook 2013

Administering a SQL Database Infrastructure (MS )

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

Windows XP Exchange Client Installation Instructions

Pass-the-Hash: How Attackers Spread and How to Stop Them

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Entrust Managed Services PKI

Security in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Managing Local Administrator Passwords with LAPS 10/14/2015 PENN STATE SECURITY CONFERENCE

Online Payments Threats

Sophos Mobile Control Technical guide

Training module 2 Installing VMware View

Exchange 2013 mailbox setup guide

ViPNet ThinClient 3.3. Quick Start

Hosts HARDENING WINDOWS NETWORKS TRAINING

CMB 207 1I Citrix XenApp and XenDesktop Fast Track

Agenda. How to configure

How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise

Computer Security: Principles and Practice

WINDOWS REGISTRY AUDITING CHEAT SHEET - Win 7/Win 2008 or later

TZWorks Windows Event Log Viewer (evtx_view) Users Guide

Speedy Organizer. SQL Server 2008 R2 RTM Express - Installation Guide Introduction

Use Enterprise SSO as the Credential Server for Protected Sites

SharePoint 2013 Logical Architecture

Securing ArcGIS Server Services: First Steps

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

7.0 Self Service Guide

304 - APM TECHNOLOGY SPECIALIST

CXD Citrix XenDesktop 5 Administration

Information Assurance Directorate

New Zealand National Cyber Security Centre

Check list for web developers

Security in the Sauce Labs Cloud

Hi and welcome to the Microsoft Virtual Academy and

Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security

End User Devices Security Guidance: Apple OS X 10.10

Introductions. Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP

Windows Server 2008/2012 Server Hardening

SQL Server 2008 Express - Installation Guide

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Securing Administrator Access to Internal Windows Servers

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

By Skip Duckwall and Chris Campbell

TLP: GREEN FBI. FBI Liaison Alert System # A MW

GRAVITYZONE HERE. Deployment Guide VLE Environment

PowerShell for Penetration Testers

NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v

Citrix Netscaler Advanced guide for SMS PASSCODE SMS PASSCODE 2014

Integrating Web Application Security into the IT Curriculum

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

BYOD Guidance: BlackBerry Secure Work Space

Professional Mailbox Software Setup Guide

Security IIS Service Lesson 6

Sage Accpac CRM 5.8. Self Service Guide

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Security Options... 1

Administering a SQL Database Infrastructure

Oracle Database 11g: Security Release 2

Administering a SQL Database Infrastructure 20764; 5 Days; Instructor-led

Microsoft Administering a SQL Database Infrastructure

WHITE PAPER AUGUST 2014

BIG-IP Access Policy Manager Tech Note for BIG-IP Edge Client App for ios

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Guidance End User Devices Security Guidance: Apple OS X 10.9

Guidance End User Devices Security Guidance: Apple ios 7

MS-10775: Administering Microsoft SQL Server 2012 Databases. Course Objectives. Required Exam(s) Price. Duration. Methods of Delivery.

User Identification (User-ID) Tips and Best Practices

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Commercially Proven Trusted Computing Solutions RSA 2010

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Windows Security Environment

EASTERN ARIZONA COLLEGE Web Server Administration

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

PowerShell Configuration Guide

Transcription:

Analysis of Malicious Security Support Provider DLLs Matt Graeber October 7, 2014 Introduction Matt Graeber FireEye Labs Advanced Reverse Engineering (FLARE) Team Malware Analyst Instructor Past Researcher US Army Red Team 中 文 翻 译 Reformed certification hoarder For fun PowerShell! PowerSploit Twitter - @mattifestation 2

Goals What are security support providers (SSP) Local security authority (LSA)/SSP architecture SSPs from an attacker s perspective Legitimate SSPs SSP internals Installation Detection Mitigation Obligatory IDA screenshot Obligatory PowerShell screenshot 3 Background A malicious security support provider (SSP) DLL was found recently during a recent IR engagement. Searching for SpLsaModeInitialize a required SSP DLL export, yielded only two unique hits in our internal malware database. The uniqueness of this type of malware warranted additional investigation 4

Definitions A security support provider (SSP) a.k.a security package: A user-mode security extension used to perform authentication during a client/server exchange. e.g. schannel (SSL) An authentication package (AP) Used to extend interactive logon authentication e.g. Enable RSA token authentication SSP/AP Can serve the tasks of SSPs and APs. Loaded in lsass. e.g. kerberos and msv1_0 (NTLM) 5 LSA Extensible Architecture The Local Security Authority (LSA) is responsible for nearly all aspects of local security on a system Authenticate and log on users Manage credentials SAM/NTDS/etc. Built-in support for message privacy and integrity LSA is extensible SSP/APs are loaded into LSA (lsass.exe) at boot Custom SSP/APs can either replace or proxy existing providers. 6

SSPI Architecture - Legitimate Client App Secur32.dll InitSecurityInterface QuerySecurityPackageInfo AcquireCredentialsHandle InitializeSecurityContext DecryptMessage EncryptMessage LSA kerberos msv1_0 wdigest 7 SSPI Architecture - Malicious Malicious Client App Secur32.dll Named Pipe Shared Memory LSA InitSecurityInterface QuerySecurityPackageInfo AcquireCredentialsHandle InitializeSecurityContext DecryptMessage EncryptMessage kerberos msv1_0 wdigest maliciousssp 8

SSP Benefits from an Attacker s Perspective Once installed, your DLL is loaded into lsass.exe! i.e. no need to inject into lsass.exe Not a well-known persistence mechanism Once loaded into lsass, you are handed an officially supported credential capture API. i.e. officially supported, Mimikatz-like functionality without needing Mimikatz 9 Common Legitimate SSPs Microsoft msv1_0.dll kerberos.dll negoexts.dll wsauth.dll 3 rd Party wsauth.dll VMWare Horizon View CTXAUTH.dll Citrix schannel.dll TSpkg.dll msoidssp.dll pku2u.dll etc. phonefactorlsa.dll PhoneFactor 10

LSA SSP Initialization Procedure 1. Inform LSA of SSP implemented functions 2. Inform SSP of available LSA support functions http://msdn.microsoft.com/library/windows/desktop/aa378339.aspx 11 SSP Development - Requirements Minimum required functions* 1. SpInitialize 2. SpShutDown 3. SpGetInfo Required Export 12

SSP Development - Implementation NTSTATUS NTAPI SpLsaModeInitialize( _In_ ULONG LsaVersion, _Out_ PULONG PackageVersion, _Out_ PSECPKG_FUNCTION_TABLE *pptables, _Out_ PULONG pctables ); Called by LSA when your SSP DLL is loaded. Only required export function Informs LSA of the functions your SSP DLL implements via PSECPKG_FUNCTION_TABLE LSA expects at a minimum, the following in PSECPKG_FUNCTION_TABLE: SpInitialize typedef struct SECPKG_FUNCTION_TABLE {... SpShutDown SpInitializeFn *Initialize; SpGetInfo SpShutdownFn *Shutdown; SpGetInfoFn SpAcceptCredentialsFn SpGetCredentialsFn SpGetUserInfoFn SpAddCredentialsFn SpSetExtendedInformationFn... } SECPKG_FUNCTION_TABLE, *PSECPKG_FUNCTION_TABLE; *GetInfo; *AcceptCredentials; *GetCredentials; *GetUserInfo; *AddCredentials; *SpChangeAccountPasswordFn; 13 SSP Development - Implementation NTSTATUS SpInitialize( _In_ ULONG_PTR PackageId, _In_ PSECPKG_PARAMETERS Parameters, _In_ PLSA_SECPKG_FUNCTION_TABLE FunctionTable ); Called by LSA after SpLsaInitialize Informs your SSP DLL the available LSA functions via PLSA_SECPKG_FUNCTION_TABLE typedef struct _LSA_SECPKG_FUNCTION_TABLE {... PLSA_GET_CREDENTIALS GetCredentials; PLSA_OPEN_SAM_USER OpenSamUser; PLSA_GET_USER_CREDENTIALS GetUserCredentials; PLSA_GET_USER_AUTH_DATA GetUserAuthData; PLSA_UPDATE_PRIMARY_CREDENTIALS UpdateCredentials; PLSA_GET_AUTH_DATA_FOR_USER GetAuthDataForUser; CredReadDomainCredentialsFn *CrediReadDomainCredentials; PLSA_PROTECT_MEMORY LsaProtectMemory; PLSA_PROTECT_MEMORY LsaUnprotectMemory; PLSA_GET_SERVICE_ACCOUNT_PASSWORD GetServiceAccountPassword;... } LSA_SECPKG_FUNCTION_TABLE, *PLSA_SECPKG_FUNCTION_TABLE; 14

SSP Development - Implementation NTSTATUS SpShutDown(void); Called at system shutdown Can simply return NULL lsass.exe will crash if this if not implemented 15 SSP Development - Implementation NTSTATUS SpGetInfo(_Out_ PSecPkgInfo PackageInfo); Provides general information about a security package Can return the following info: Name Description Capabilities etc. Must be implemented but it doesn t need to do anything. 16

SSP Installation 1.Copy the SSP DLL to %windir%\system32 Note: Because the DLL is loaded into lsass, it must be compiled for the same architecture as lsass.exe 2.Add the file name (without extension) to: HKLM\SYSTEM\CurrentControlSet\Control \Lsa\Security Packages HKLM\SYSTEM\CurrentControlSet\Control \Lsa\OSConfig\Security Packages 3. Optional: Load it into lsass immediately by calling secur32!addsecuritypackage 4. Reboot 17 Malicious SSP PoC mimilib SSP Benjamin Delpy (@gentilkiwi) recently added SSP functionality to mimilib.dll. He has yet to document or heavily advertise this functionality. Once installed and loaded into lsass.exe, it captures passwords in plaintext. This is achieved with the SpAcceptCredential callback function. 18

Malicious SSP PoC mimilib SSP 19 Malicious SSP PoC mimilib SSP %windir%\system32\kiwissp.log [00000000:000003e7] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (SYSTEM) [00000000:000003e4] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (NETWORK SERVICE) [00000000:000003e4] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (NETWORK SERVICE) [00000000:000003e7] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (SYSTEM) [00000000:000003e7] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (SYSTEM) [00000000:000527ee] [00000002] WIN-LOI4CUIDKP1\anonymous (anonymous) badpassword [00000000:00052807] [00000002] WIN-LOI4CUIDKP1\anonymous (anonymous) badpassword [00000000:00065d64] [00000002] WIN-LOI4CUIDKP1\anonymous (anonymous) badpassword [00000000:00065d7a] [00000002] WIN-LOI4CUIDKP1\anonymous (anonymous) badpassword [00000000:000003e5] [00000005] \ (LOCAL SERVICE) [00000000:000003e4] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (NETWORK SERVICE) [00000000:000003e4] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (NETWORK SERVICE) [00000000:000003e5] [00000005] \ (LOCAL SERVICE) [00000000:000003e4] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (NETWORK SERVICE) [00000000:000003e4] [00000005] WORKGROUP\WIN-LOI4CUIDKP1$ (NETWORK SERVICE) 20

Malicious SSP Mitigations Prevention Windows 8.1/Server 2012 R2 running Secure Boot with UEFI: HKLM\SYSTEM\CurrentControlSet\Control\Lsa \RunAsPPL (DWORD) = 1 Makes lsass a protected process. Forces SSP DLLs to be co-signed by Microsoft. With Secure Boot (w/ UEFI) enabled, RunAsPPL is set as a UEFI secure variable and cannot be deleted. 21 Malicious SSP Detection Windows 8.1/Server 2012 R2 only Generate event logs upon loading of an unsigned lsass module: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe AuditLevel = 8 (REG_DWORD) Reboot When an unsigned SSP is loaded, either of the following events will trigger: 3033 3066 22

Malicious SSP Detection Detection Whitelist legitimate SSP DLLs. Alert when HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages or HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\S ecurity Packages is modified to contain an SSP not in the whitelist. Alert on any DLLs that export SpLsaModeInitialize that are not in the whitelist. MIGHT be present under LSA Providers in Sysinternals Autoruns 23 Malicious SSP Mitigations Removal Remove the SSP from the following reg keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Sec urity Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSC onfig\security Packages Delete the DLL from %windir%\system32 Call secur32!deletesecuritypackage? Oops! MS forgot to implement that function. Reboot 24

Malicious SSP Mitigations 25 References Registering SSP/AP DLLs Configuring Additional LSA Protection LSA Mode Initialization Mimikatz PoC SSP 26

Merci!!! Thank you Benjamin Delpy (@gentilkiwi) for the following: 1. Performing all the original research on malicious SSPs 2. Writing a PoC malicious SSP 3. Writing Mimikatz! <3 4. Patiently and enthusiastically answering all my dumb questions. 27 QUESTIONS? 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information