Jan 08 2020 10:54 PM - edited Jan 08 2020 10:55 PM
We are seeing this error on a couple of recently built 2016 Servers:
Suspected skeleton key attack (encryption downgrade)
<server> offered a weaker encryption method (RC4) for the authentication of <user> on <laptop>
Simply setting the order of the Cipher suite seems to be a viable solution?
https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/
Can anyone confirm:
How to replicate the error?
Does this work in fixing it?
Thanks
Dave C
Jan 09 2020 02:26 AM
Start with this guide to diagnose the problem
Unless you changed something in the cipher suite which is now using something not standard, I don't think it's the issue.
Jan 09 2020 03:05 AM
@Eli Ofek So are we saying that if we see this there is zero chance it's just a mis-configured DC and that it's 100% confident that it's an instance of malware/malicious intent, etc?
Use this info to verify:
Run this to remove:
https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
And I'm guessing it's a case of checking all the rest of the DC's and Servers in the vicinity that can be touched as well...?
Jan 09 2020 03:28 AM
@David Caddick I am not familiar with the fiest link, the second one is to scan, and it's a good idea to use it and see what it says.
Unless you can provide a legit reason why in this case the encryption was downgraded, I would not role out a malware.
Do research deeper an engineer needs to look at the actual data, which is not suitable for a forum :)
if you need more confidence on how to handle it, i suggest to open a ticket with support who can help .
Jan 09 2020 03:31 AM
@Eli Ofek Thanks, we’ll get started on that tomorrow to rule it out authoratively
Jan 09 2020 06:16 PM - edited Jan 09 2020 06:28 PM
So checking this from MS https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
Gives me this result?
PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner> C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner\AoratoSkeletonScan.ps1
Domain Functional Level (DFL) must be at least 2008 to test, current DFL of domain xxxxxxxxx.au is Windows2008R2Domain so the check is valid
xxxxxxxDCS01.xxxxxxx.au DC supports AES as it should.
xxxxxxxDC1.xxxxxxxx.au DC supports AES as it should.
xxxxDCS02.xxxxxxxx.au DC supports AES as it should.
xxxxxxxxxS01.xxxxxxxxx.au DC supports AES as it should.
xxxxxxxDCSS01.xxxxxxxxx.au DC supports AES as it should.
xxxxxxDC2.xxxxxxxxx.au DC supports AES as it should.
xxxxxxxxADSSS02.xxxxxxxxx.au DC supports AES as it should.
xxxxxxxxADSPR01.xxxxxxxxx.au DC supports AES as it should.
checked 8 DCs out of 8 in domain xxxxxxxxx.au. None of the checked DCs were found infected
PS C:\Users\xxxxxxxxx\Downloads\aorato-skeleton-scanner\aorato-skeleton-scanner>
Does this mean this system is clean?
Is this check authorative?
Cause this seems to contradict the details from Azure ATP?
How can I cross-refernce the two pieces of information and clear this as either a TP or FP?
Digging a bit deeper in MCAS I have discovered this:
https://portal.cloudappsecurity.com/#/identity-security-posture/weak-ciphers
This shows that we have at least 20 devices using RC4 over Kerberos that are generating over 1,000 activities per month - would it be fair to say that this is quite possibly just due to older systems that need updating?
Thanks,
Dave C
May 09 2021 09:13 AM
@David Caddick can you pls tell me where to find aoratoskeletonkey?
I cant find it on https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
Best Regards
May 09 2021 02:54 PM
May 10 2021 12:00 AM
Found it on github
GitHub - microsoft/MDI-Suspected-Skeleton-Key-Attack-Tool
seems legit script to find out if AD under skeleton key malware attack
May 10 2021 02:35 PM
May 17 2021 12:26 AM