Skeleton key malware detection owasp
Download as PPTX, PDF2 likes1,278 views
This document discusses Kerberos authentication and how the Skeleton Key attack works. It explains that the attack works by patching lsass.exe memory to reroute decryption and initialization functions, allowing extraction of encryption keys. It then notes that Microsoft Advanced Threat Analytics can help detect such attacks by learning entity behaviors, profiling activities, and identifying suspicious connections in the interaction graph.
Skeleton key malware detection owasp
- 1. OWASP IL, June 2015
- 11. waza 1234/ des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ (Server) ④ TGS-REP ⑤ Usage User Server
- 12. • RC4-HMAC don’t have any! • RC4-HMAC don’t have any!
- 13. KDC waza 1234/ User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b user rc4_hmac _nt aes256_ hmac Joe 21321… 543.. user1 cc36cf7a … 1a7ddc … Doe TGT
- 17. KDC
- 21. Check if newer keys exists Locate newer keys Patch newer keys Acess lsass.exe memory
- 22. Locate functions (to re-route) Inject patched functionsRe-route Init function Re-route Decrypt function
- 23. KDC User1 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac user rc4_hmac _nt aes256_ hmac Joe 21321… 543.. user1 cc36cf7a … 1a7ddc … TGT ff687678.... Skeleton ff687678…
- 25. Automatically… • Learn entities and their context • Profile entity activities and behaviors • Build the entities interaction graph • Identify suspicious activities • Connect suspicious activities into an Attack Timeline™ How Microsoft ATA works
Editor's Notes
- #6: http://twittersfollowers.com/wp-content/uploads/2013/03/facebook-fans.png
- #7: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
- #21: NTLM relay talk 2014 by Oren Ofer
- #27: 3 Data sources – Network traffic, AD data and SIEM events Create traps (Honeytokens) to mislead attackers