Authentication is the procedure to validate the digital identity of the requester or sender of the information. Passwords are the most common forms of authentication used today. But when passwords are leaked to the dark web, adversaries can use them to intrude into your network and cause damage.

There are different ways a hacker can obtain credentials. One way is by modifying the authentication process to gain access to enterprise resources, privileged and root accounts, take control of remote systems, and even laterally move to other servers with the acquired controls.

The authentication process is handled by different entities in different operating systems. In Windows systems, it's handled by the security accounts manager and the local security authority subsystem service; in Unix-based systems, it's handled by the pluggable authentication module; and in MacOS systems, it's handled by custom authorization plug-ins. These entities are responsible for storing and validating the credentials received against a database.

As a security professional, it is important to know where and how hackers can modify the authentication procedures. MITRE ATT&CK presents four techniques that adversaries commonly use to reveal or bypass these mechanisms. They are:

  • Domain controller authentication
  • Password filter DLL
  • Pluggable authentication modules
  • Network device authentication

Let's look at the process behind each modification technique, how to detect them, and ways to avoid them in the future.

Domain Controller Authentication

How it works

In 2015, researchers at Dell SecureWorks posted details about an in-memory malware, Skeleton Key, discovered in a customer site. When adversaries succeed in installing this malware in the domain controller (DC), it modifies the system to accept a new master password from any domain user, including admins.

The Skeleton Key malware allows adversaries to authenticate themselves as any domain user to access resources using admin credentials, even if they don't have the actual admin passwords. Once the master password is hacked, they use it to login as any domain user and make the login look legitimate.

How to detect malicious domain controller authentication

Since this is an in-memory attack, network-based intrusion detection system and intrusion prevention system (IDS/IPS) tools cannot detect this. Security tools that detect threats based on signatures and behaviors should be used to detect this attack.

This section helps you uncover the clues in domain controller logs that help you detect this attack.

Event IDs to monitor:

Event ID Description Reason to audit
4697 A service was installed in the system. This is used to detect if malware is installed in the DC.
4673 A privileged service was called. The installation of malwares in the DC requires Admin or higher privileges. This means unusual DC logon activity must be monitored.
Reason to audit
4611 A trusted logon process has been registered with the Local Security Authority (LSA). This event gets logged every time the server starts and after every login. Since the malware configures a new logon process, this event can help pull out rogue logon processes.

Apart from configuring your security solution to capture and analyze these events for detecting the attack, you can use a behavioral analytics tool to spot suspicious behaviors.

Configuring a user and entity behavior analytics (UEBA) tool to notify you of suspicious activities helps detect this attack. Examples include:

  • One account logging into multiple systems
  • Multiple accounts logging into the same system
  • One account logging in outside of business hours.

The ideal way is to use a security information and event management (SIEM) solution that utilizes signature-based and behavior-based attack detection techniques. Obtaining a combined analysis view helps you validate suspicious events better and accurately detect DC authentication manipulation.

Mitigation strategies

  • Implement multi-factor authentication (MFA): The Skeleton Key attack only works on password-based authentication networks. Implementing MFA for all key servers and remote access applications is a must.
  • Conduct regular security audits: Audit all logons that use admin level credentials to find suspicious activities that indicate a potential infection. Conduct regular domain and local account audits and reduce the number of admin accounts in the network.
  • Enable LSA protection: Windows provides an additional layer of protection for the LSA process that prevents reading memory and code injection by unverified processes. You can enable LSA protection on a single computer or multiple computers in a domain.
  • Regular Reboots: While scheduling regular DC reboots doesn't prevent a Skeleton Key reinfection, it will require the attackers to work harder to make it work again.

How a SIEM tool can help

SIEM tools correlate logs from multiple sources and send alerts when something suspicious is found. Beyond rules and correlations, they provide UEBA capabilities to understand the behavior of the employees and discover irregular patterns.

Let's investigate password filter DLLs in part two of this series.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2022 Zoho Corporation Pvt. Ltd. All rights reserved.