Suspected skeleton key attack (encryption downgrade)

%3CLINGO-SUB%20id%3D%22lingo-sub-1098068%22%20slang%3D%22en-US%22%3ESuspected%20skeleton%20key%20attack%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098068%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20seeing%20this%20error%20on%20a%20couple%20of%20recently%20built%202016%20Servers%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESuspected%20skeleton%20key%20attack%20(encryption%20downgrade)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSERVER%3E%20offered%20a%20weaker%20encryption%20method%20(RC4)%20for%20the%20authentication%20of%20%3CUSER%3E%20on%20%3CLAPTOP%3E%3C%2FLAPTOP%3E%3C%2FUSER%3E%3C%2FSERVER%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESimply%20setting%20the%20order%20of%20the%20Cipher%20suite%20seems%20to%20be%20a%20viable%20solution%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.howtogeek.com%2F221080%2Fhow-to-update-your-windows-server-cipher-suite-for-better-security%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.howtogeek.com%2F221080%2Fhow-to-update-your-windows-server-cipher-suite-for-better-security%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20confirm%3A%3C%2FP%3E%3CP%3EHow%20to%20replicate%20the%20error%3F%3C%2FP%3E%3CP%3EDoes%20this%20work%20in%20fixing%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EDave%20C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160620%22%20target%3D%22_blank%22%3E%40Tim%20Xu%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098452%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20skeleton%20key%20attack%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098452%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStart%20with%20this%20guide%20to%20diagnose%20the%20problem%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-domain-dominance-alerts%23suspected-skeleton-key-attack-encryption-downgrade-external-id-2010%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-domain-dominance-alerts%23suspected-skeleton-key-attack-encryption-downgrade-external-id-2010%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnless%20you%20changed%20something%20in%20the%20cipher%20suite%20which%20is%20now%20using%20something%20not%20standard%2C%20I%20don't%20think%20it's%20the%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098520%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20skeleton%20key%20attack%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BSo%20are%20we%20saying%20that%20if%20we%20see%20this%20there%20is%20zero%20chance%20it's%20just%20a%20mis-configured%20DC%20and%20that%20it's%20100%25%20confident%20that%20it's%20an%20instance%20of%26nbsp%3Bmalware%2Fmalicious%20intent%2C%20etc%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUse%20this%20info%20to%20verify%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.virusbulletin.com%2Fvirusbulletin%2F2016%2F01%2Fpaper-digital-bian-lian-face-changing-skeleton-key-malware%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.virusbulletin.com%2Fvirusbulletin%2F2016%2F01%2Fpaper-digital-bian-lian-face-changing-skeleton-key-malware%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERun%20this%20to%20remove%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FAorato-Skeleton-Key-24e46b73%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FAorato-Skeleton-Key-24e46b73%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I'm%20guessing%20it's%20a%20case%20of%20checking%20all%20the%20rest%20of%20the%20DC's%20and%20Servers%20in%20the%20vicinity%20that%20can%20be%20touched%20as%20well...%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098564%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20skeleton%20key%20attack%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098564%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3BI%20am%20not%20familiar%20with%20the%20fiest%20link%2C%20the%20second%20one%20is%20to%20scan%2C%20and%20it's%20a%20good%20idea%20to%20use%20it%20and%20see%20what%20it%20says.%3C%2FP%3E%0A%3CP%3EUnless%20you%20can%20provide%20a%20legit%20reason%20why%20in%20this%20case%20the%20encryption%20was%20downgraded%2C%20I%20would%20not%20role%20out%20a%20malware.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20research%20deeper%20an%20engineer%20needs%20to%20look%20at%20the%20actual%20data%2C%20which%20is%20not%20suitable%20for%20a%20forum%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3Eif%20you%20need%20more%20confidence%20on%20how%20to%20handle%20it%2C%20i%20suggest%20to%20open%20a%20ticket%20with%20support%20who%20can%20help%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098579%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20skeleton%20key%20attack%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098579%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BThanks%2C%20we%E2%80%99ll%20get%20started%20on%20that%20tomorrow%20to%20rule%20it%20out%20authoratively%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1100517%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20skeleton%20key%20attack%20(encryption%20downgrade)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1100517%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20checking%20this%20from%20MS%20%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FAorato-Skeleton-Key-24e46b73%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FAorato-Skeleton-Key-24e46b73%3C%2FA%3E%3C%2FP%3E%3CP%3EGives%20me%20this%20result%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5CUsers%5Cxxxxxxxxx%5CDownloads%5Caorato-skeleton-scanner%5Caorato-skeleton-scanner%26gt%3B%20C%3A%5CUsers%5Cxxxxxxxxx%5CDownloads%5Caorato-skeleton-scanner%5Caorato-skeleton-scanner%5CAoratoSkeletonScan.ps1%3C%2FP%3E%3CP%3EDomain%20Functional%20Level%20(DFL)%20must%20be%20at%20least%202008%20to%20test%2C%20current%20DFL%20of%20domain%20xxxxxxxxx.au%20is%20Windows2008R2Domain%20so%20the%20check%20is%20valid%3C%2FP%3E%3CP%3ExxxxxxxDCS01.xxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3ExxxxxxxDC1.xxxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3ExxxxDCS02.xxxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3ExxxxxxxxxS01.xxxxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3ExxxxxxxDCSS01.xxxxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3ExxxxxxDC2.xxxxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3ExxxxxxxxADSSS02.xxxxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3ExxxxxxxxADSPR01.xxxxxxxxx.au%20DC%20supports%20AES%20as%20it%20should.%3C%2FP%3E%3CP%3Echecked%208%20DCs%20out%20of%208%20in%20domain%20xxxxxxxxx.au.%20None%20of%20the%20checked%20DCs%20were%20found%20infected%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5CUsers%5Cxxxxxxxxx%5CDownloads%5Caorato-skeleton-scanner%5Caorato-skeleton-scanner%26gt%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20mean%20this%20system%20is%20clean%3F%3C%2FP%3E%3CP%3EIs%20this%20check%20authorative%3F%26nbsp%3B%3C%2FP%3E%3CP%3ECause%20this%20seems%20to%20contradict%20the%20details%20from%20Azure%20ATP%3F%3C%2FP%3E%3CP%3EHow%20can%20I%20cross-refernce%20the%20two%20pieces%20of%20information%20and%20clear%20this%20as%20either%20a%20TP%20or%20FP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDigging%20a%20bit%20deeper%20in%20MCAS%20I%20have%20discovered%20this%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.cloudappsecurity.com%2F%23%2Fidentity-security-posture%2Fweak-ciphers%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.cloudappsecurity.com%2F%23%2Fidentity-security-posture%2Fweak-ciphers%3C%2FA%3E%3C%2FP%3E%3CP%3EThis%20shows%20that%20we%20have%20at%20least%2020%20devices%20using%20RC4%20over%20Kerberos%20that%20are%20generating%20over%201%2C000%20activities%20per%20month%20-%20would%20it%20be%20fair%20to%20say%20that%20this%20is%20quite%20possibly%20just%20due%20to%20older%20systems%20that%20need%20updating%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EDave%20C%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

We are seeing this error on a couple of recently built 2016 Servers:

 

Suspected skeleton key attack (encryption downgrade)

<server> offered a weaker encryption method (RC4) for the authentication of <user> on <laptop>

clipboard_image_0.jpeg

 

Simply setting the order of the Cipher suite seems to be a viable solution?

https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/

 

Can anyone confirm:

How to replicate the error?

Does this work in fixing it?

 

Thanks

Dave C

 

@Tim Xu 

5 Replies
Highlighted

@David Caddick 

Start with this guide to diagnose the problem

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-domain-dominance-alerts#suspec...

 

Unless you changed something in the cipher suite which is now using something not standard, I don't think it's the issue.

Highlighted

@Eli Ofek So are we saying that if we see this there is zero chance it's just a mis-configured DC and that it's 100% confident that it's an instance of malware/malicious intent, etc?

 

Use this info to verify:

https://www.virusbulletin.com/virusbulletin/2016/01/paper-digital-bian-lian-face-changing-skeleton-k...

 

Run this to remove:

https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

 

And I'm guessing it's a case of checking all the rest of the DC's and Servers in the vicinity that can be touched as well...?

 

Highlighted

@David Caddick I am not familiar with the fiest link, the second one is to scan, and it's a good idea to use it and see what it says.

Unless you can provide a legit reason why in this case the encryption was downgraded, I would not role out a malware.

 

Do research deeper an engineer needs to look at the actual data, which is not suitable for a forum :)

if you need more confidence on how to handle it, i suggest to open a ticket with support who can help .

Highlighted

@Eli Ofek Thanks, we’ll get started on that tomorrow to rule it out authoratively 

Highlighted

@Eli Ofek 

 

So checking this from MS https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

Gives me this result?

 

PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner> C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner\AoratoSkeletonScan.ps1

Domain Functional Level (DFL) must be at least 2008 to test, current DFL of domain xxxxxxxxx.au is Windows2008R2Domain so the check is valid

xxxxxxxDCS01.xxxxxxx.au DC supports AES as it should.

xxxxxxxDC1.xxxxxxxx.au DC supports AES as it should.

xxxxDCS02.xxxxxxxx.au DC supports AES as it should.

xxxxxxxxxS01.xxxxxxxxx.au DC supports AES as it should.

xxxxxxxDCSS01.xxxxxxxxx.au DC supports AES as it should.

xxxxxxDC2.xxxxxxxxx.au DC supports AES as it should.

xxxxxxxxADSSS02.xxxxxxxxx.au DC supports AES as it should.

xxxxxxxxADSPR01.xxxxxxxxx.au DC supports AES as it should.

checked 8 DCs out of 8 in domain xxxxxxxxx.au. None of the checked DCs were found infected

 

PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner> 

 

Does this mean this system is clean?

Is this check authorative? 

Cause this seems to contradict the details from Azure ATP?

How can I cross-refernce the two pieces of information and clear this as either a TP or FP?

 

Digging a bit deeper in MCAS I have discovered this:

https://portal.cloudappsecurity.com/#/identity-security-posture/weak-ciphers

This shows that we have at least 20 devices using RC4 over Kerberos that are generating over 1,000 activities per month - would it be fair to say that this is quite possibly just due to older systems that need updating? 

 

Thanks,

Dave C