Introduction: Unlocking Active Directory with the Skeleton Key Attack
There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master password that will work for any account in the domain. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.
Not surprisingly, this is one of the many attacks that is packaged and very easy to perform using Mimikatz. Let’s take a look at how it works.
Requirements for the Skeleton Key Attack
In order to perpetrate this attack, the attacker must have Domain Admin rights. This attack must be performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective. Rebooting a domain controller will remove this malware and it will have to be redeployed by the attacker.
Performing the Skeleton Key Attack
Performing the attack is very straightforward to do. It only requires the following command to be run on each domain controller: misc::skeleton. After that, you can authenticate as any user with the default password of Mimikatz.
Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller:
Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work.
Detection & Prevention of the Skeleton Key Attack
The best prevention for these attacks is to reduce the amount of Domain Admins in your environment and to have proper security controls around those accounts. Ensure they cannot logon to lesser privileged machines where their hashes may be stolen by attackers. Several other mitigations are covered by Sean Metcalf here and by Dell SecureWorks here.
How Attackers Are Stealing Your Credentials with Mimikatz:
To sign up for the Mimikatz blog series, please click here.
To register for the Mimikatz webinar, please click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.