Introduction: Unlocking Active Directory with the Skeleton Key Attack
There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master password that will work for any account in the domain. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.
Not surprisingly, this is one of the many attacks that is packaged and very easy to perform using Mimikatz. Let’s take a look at how it works.
Requirements for the Skeleton Key Attack
In order to perpetrate this attack, the attacker must have Domain Admin rights. This attack must be performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective. Rebooting a domain controller will remove this malware and it will have to be redeployed by the attacker.
Performing the Skeleton Key Attack
Performing the attack is very straightforward to do. It only requires the following command to be run on each domain controller: misc::skeleton. After that, you can authenticate as any user with the default password of Mimikatz.
Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller:
Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work.
Detection & Prevention of the Skeleton Key Attack
The best prevention for these attacks is to reduce the amount of Domain Admins in your environment and to have proper security controls around those accounts. Ensure they cannot logon to lesser privileged machines where their hashes may be stolen by attackers. Several other mitigations are covered by Sean Metcalf here and by Dell SecureWorks here.
How Attackers Are Stealing Your Credentials with Mimikatz:
To sign up for the Mimikatz blog series, please click here.
To register for the Mimikatz webinar, please click here.