Skeleton Key Vulnerability Assessment - Attivo Networks
Attivo Networks Blogs

Skeleton Key Vulnerability Assessment

Written by: Vikram Navali, Senior Technical Product Manager – Once an attacker has gained domain admin rights to your Active Directory, there are several techniques they can use and maintain persistence within the Windows environment. One such technique is Modify Authentication Process, where adversaries may modify the standard authentication process on a Domain Controller (DC).

An adversary can use Skeleton Key malware to inject a master password into the domain controllers with the intent of creating a backdoor. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until a reboot of the domain controller erases the skeleton key from memory).

Attackers can use the skeleton key module available in the Mimikatz tool to perform this attack. Mimikatz injects a skeleton key into LSASS on the DC and creates a backdoor with the master password “mimikatz” that will work with any valid domain user, including admins. Attackers can continue to move laterally to fulfill their objectives after injecting a skeleton key on a Domain Controller. They can use the following command on the DC to inject the skeleton key into LSASS.

mimikatz.exe “privilege::debug” “misc::skeleton” exit

The attacker does not know the password of the domain administrator named “poctest”. However, the attacker can use the master password “mimikatz” to map the admin share.

 

C:\Windows\system32>net use z: \\root.attivo1.local\Share /user:poctest mimikatz

The command completed successfully.

 

The attacker can access the share on the domain controller without cracking the password for user “poctest”.

 

Detect and Prevent the Skeleton Key Attack

The Attivo Networks ADAssessor solution provides ongoing visibility into the critical domain, computer, and user-level exposures for quick remediation. The solution then continues monitoring AD for activities that signify a possible attack.

The ADSecure solution defends essential Active Directory (AD) objects from an attacker’s data gathering activities, such as user and system accounts, privileged group members, domain controllers, service principal names (SPNs), and others, without interfering with the production AD environment.

The following lists a few prevention strategies a defender or security team can use to protect their Domain Controllers from being patched with an alternate authentication process:

  • Protect domain-level admin (DLA) accounts (Administrators, Domain Admin, and Enterprise Admins).
  • Protect from unauthorized queries or privilege escalation attempts to the AD controller using ADSecure.
  • Patch all DCs (kb3011780).
  • Security admins can configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. Follow the procedure to enable or disable LSA protection on a single computer or use Group Policy.
  • Research by Dell SecureWorks Counter Threat Unit also observed that reboot of the Domain Controller had removed the Skeleton Key’s authentication bypass.

Conclusion

Attivo Networks recommends using security controls and periodic assessments to ensure Domain Controls are protected against advanced attacks like the Skeleton Key attack. For more information, please visit https://www.attivonetworks.com/product/adassessor/ and https://www.attivonetworks.com/product/adsecure/.

References

https://adsecurity.org/?p=1275

 

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published. Required fields are marked *

eighteen + three =

Ready to find out what’s lurking in your network?

Scroll to Top