Skeleton Key Background
Analyzing the Skeleton Key Capability of Mimikatz
In this code, Mimikatz first gets the process ID of lsass.exe and stores it in the processId variable. Next, it calls OpenProcess to obtain a handle to the lsass.exe process. This handle gives the ability to read and write the memory of the lsass.exe process from the calling process. Mimikatz then calls kull_m_memory_open, which is an internal Mimikatz function that stores the handle for later use.
Devising a Detection Strategy
Reverse Engineering CDLocateCSystem
- cCSystems holds the number of elements in CSystems.
- The size of each CSystems element is 128 bytes.
Reverse Engineering the RC4 Structure Origin
Designing the windows.skeleton_key_check Plugin
- Find the address of CSystems
- Walk each element to find the active RC4 system
- Compare its initialization and decryption handlers to the known-good symbols
Creating a New Plugin
Implementation - Writing the run Function
Implementation – Leveraging PDBs
Adding Resiliency to windows.skeleton_key_check
- The page containing cryptdll.dll’s GUID could be paged out or smeared.
- The analysis system may be offline and unable to download the PDB file from Microsoft’s symbol server.
- Although rare, Microsoft has published corrupt/broken PDB files for modules shipped with stable versions of Windows.