search
GitHubPsMapExec

Custom SSP

hashtag
Description

A Security Service Provider (SSP) is implemented via the Security Support Provider Interface (SSPI) which is part of the Windows Client Authentication Architecture.

The SSPI will dictate what protocols systems should use to authenticate between each other when communicating. The default protocol is Kerberos, however when not possible the following may also be utilized:

SSP Protocol
File Location

Negotiate SSP

C:\Windows\System32\lsasrv.dll

Kerberos SSP

C:\Windows\System32\kerberos.dll

NTLM SSP

C:\Windows\System32\msv1_0.dll

Schannel SSP

C:\Windows\System32\Schannel.dll

Digest SSP

C:\Windows\System32\Wdigest.dll

CredSSP

C:\Windows\System32\credssp.dll

hashtag
Exploitation - Persistent

It is possible to inject a custom SSP into a target Domain Controller which can be used to intercept credentials and store them for later retrieval in plain text. Mimikatz comes with the ability to perform this interception with the mimilib.dll provided.

Copying the mimilib.dll file from Mimikatz into the SYSTEM32 folder and then adding the mimilib.dll file as a security package with the below command.

# Create Key
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ /f
# Confirm changes
reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

After completing and confirming changes, when a user next authenticates against the Domain Controller the credentials will be captured in cleartext in a file called kiwissp.txt inside SYSTEM32.

As these changes are made to the registry and a permanent file is dropping into SYSTEM32 this attack vector will persist after reboots.

hashtag
Exploitation - In Memory

The same process can be performed by injecting a new SSP provider directly into memory with Mimikatz. This technique however, will not persist after a reboot.

When someone next authenticates against the Domain Controller the file mimilsa.txt in System32 will be generated and contain cleartext logon credentials.

The below example was generated from one of the Domain Administrators called Moe logging on interactively to the Domain Controller and his resulting credentials being logged.

hashtag
Detection

  • Monitor for changes made to "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages"

hashtag
Mitigation

  • Protect Domain Administrator accounts

hashtag
References

Security Support ProviderInterface:https://en.wikipedia.org/wiki/Security_Support_Provider_Interfacearrow-up-right

Security Support Providers (SSPs):https://docs.microsoft.com/en-us/windows/win32/rpc/security-support-providers-ssps-arrow-up-right

LogoSecurity Support Provider InterfaceWikipediachevron-right
LogoSecurity Support Providers (SSPs) - Win32 appsMicrosoftLearnchevron-right
Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)Active Directory & Azure AD/Entra ID Securitychevron-right

Last updated