Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Suspected skeleton key attack (encryption downgrade)

Iron Contributor

We are seeing this error on a couple of recently built 2016 Servers:

 

Suspected skeleton key attack (encryption downgrade)

<server> offered a weaker encryption method (RC4) for the authentication of <user> on <laptop>

clipboard_image_0.jpeg

 

Simply setting the order of the Cipher suite seems to be a viable solution?

https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/

 

Can anyone confirm:

How to replicate the error?

Does this work in fixing it?

 

Thanks

Dave C

 

@Tim Xu 

10 Replies

@David Caddick 

Start with this guide to diagnose the problem

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-domain-dominance-alerts#suspec...

 

Unless you changed something in the cipher suite which is now using something not standard, I don't think it's the issue.

@Eli Ofek So are we saying that if we see this there is zero chance it's just a mis-configured DC and that it's 100% confident that it's an instance of malware/malicious intent, etc?

 

Use this info to verify:

https://www.virusbulletin.com/virusbulletin/2016/01/paper-digital-bian-lian-face-changing-skeleton-k...

 

Run this to remove:

https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

 

And I'm guessing it's a case of checking all the rest of the DC's and Servers in the vicinity that can be touched as well...?

 

@David Caddick I am not familiar with the fiest link, the second one is to scan, and it's a good idea to use it and see what it says.

Unless you can provide a legit reason why in this case the encryption was downgraded, I would not role out a malware.

 

Do research deeper an engineer needs to look at the actual data, which is not suitable for a forum :)

if you need more confidence on how to handle it, i suggest to open a ticket with support who can help .

@Eli Ofek Thanks, we’ll get started on that tomorrow to rule it out authoratively 

@Eli Ofek 

 

So checking this from MS https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

Gives me this result?

 

PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner> C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner\AoratoSkeletonScan.ps1

Domain Functional Level (DFL) must be at least 2008 to test, current DFL of domain xxxxxxxxx.au is Windows2008R2Domain so the check is valid

xxxxxxxDCS01.xxxxxxx.au DC supports AES as it should.

xxxxxxxDC1.xxxxxxxx.au DC supports AES as it should.

xxxxDCS02.xxxxxxxx.au DC supports AES as it should.

xxxxxxxxxS01.xxxxxxxxx.au DC supports AES as it should.

xxxxxxxDCSS01.xxxxxxxxx.au DC supports AES as it should.

xxxxxxDC2.xxxxxxxxx.au DC supports AES as it should.

xxxxxxxxADSSS02.xxxxxxxxx.au DC supports AES as it should.

xxxxxxxxADSPR01.xxxxxxxxx.au DC supports AES as it should.

checked 8 DCs out of 8 in domain xxxxxxxxx.au. None of the checked DCs were found infected

 

PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner> 

 

Does this mean this system is clean?

Is this check authorative? 

Cause this seems to contradict the details from Azure ATP?

How can I cross-refernce the two pieces of information and clear this as either a TP or FP?

 

Digging a bit deeper in MCAS I have discovered this:

https://portal.cloudappsecurity.com/#/identity-security-posture/weak-ciphers

This shows that we have at least 20 devices using RC4 over Kerberos that are generating over 1,000 activities per month - would it be fair to say that this is quite possibly just due to older systems that need updating? 

 

Thanks,

Dave C

@David Caddick can you pls tell me where to find aoratoskeletonkey?

 

I cant find it on  https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

 

Best Regards

Sadly there is no way to get it any more, unless you can get it from someone who managed to download it when the gallery was allive.
Before the gallery was decommissioned, we only migrated a handful of projects to github, and some with low usage telemetry were left there to vanish.

@Eli Ofek 

Found it on github

GitHub - microsoft/MDI-Suspected-Skeleton-Key-Attack-Tool

seems legit script to find out if AD under skeleton key malware attack

 

Thanks! I was sure this one wasn't migrated. nice to see it actually was!
Sorry, was away on Annual Leave