Forum Discussion
Suspected skeleton key attack (encryption downgrade)
MicrosoftStart with this guide to diagnose the problem
Unless you changed something in the cipher suite which is now using something not standard, I don't think it's the issue.
EliOfek So are we saying that if we see this there is zero chance it's just a mis-configured DC and that it's 100% confident that it's an instance of malware/malicious intent, etc?
Use this info to verify:
https://www.virusbulletin.com/virusbulletin/2016/01/paper-digital-bian-lian-face-changing-skeleton-key-malware
Run this to remove:
https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
And I'm guessing it's a case of checking all the rest of the DC's and Servers in the vicinity that can be touched as well...?
- EliOfek
David Caddick I am not familiar with the fiest link, the second one is to scan, and it's a good idea to use it and see what it says.
Unless you can provide a legit reason why in this case the encryption was downgraded, I would not role out a malware.
Do research deeper an engineer needs to look at the actual data, which is not suitable for a forum 🙂
if you need more confidence on how to handle it, i suggest to open a ticket with support who can help .
So checking this from MS https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
Gives me this result?
PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner> C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner\AoratoSkeletonScan.ps1
Domain Functional Level (DFL) must be at least 2008 to test, current DFL of domain xxxxxxxxx.au is Windows2008R2Domain so the check is valid
xxxxxxxDCS01.xxxxxxx.au DC supports AES as it should.
xxxxxxxDC1.xxxxxxxx.au DC supports AES as it should.
xxxxDCS02.xxxxxxxx.au DC supports AES as it should.
xxxxxxxxxS01.xxxxxxxxx.au DC supports AES as it should.
xxxxxxxDCSS01.xxxxxxxxx.au DC supports AES as it should.
xxxxxxDC2.xxxxxxxxx.au DC supports AES as it should.
xxxxxxxxADSSS02.xxxxxxxxx.au DC supports AES as it should.
xxxxxxxxADSPR01.xxxxxxxxx.au DC supports AES as it should.
checked 8 DCs out of 8 in domain xxxxxxxxx.au. None of the checked DCs were found infected
PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner>
Does this mean this system is clean?
Is this check authorative?
Cause this seems to contradict the details from Azure ATP?
How can I cross-refernce the two pieces of information and clear this as either a TP or FP?
Digging a bit deeper in MCAS I have discovered this:
https://portal.cloudappsecurity.com/#/identity-security-posture/weak-ciphers
This shows that we have at least 20 devices using RC4 over Kerberos that are generating over 1,000 activities per month - would it be fair to say that this is quite possibly just due to older systems that need updating?
Thanks,
Dave C
David Caddick can you pls tell me where to find aoratoskeletonkey?
I cant find it on https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
Best Regards
EliOfek Thanks, we’ll get started on that tomorrow to rule it out authoratively
