This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
Attackers who gain administrative access to your domain controller are eager to obtain “persistence:” the ability to continue operating in the environment despite attempts to remove them. So-called “skeleton key” passwords are a common means of doing this once attackers have obtained administrative access to domain controllers.
Key Points
- Skeleton keys are a common post-compromise technique in which attackers dynamically “patch” the Windows LSASS process, allowing an attacker supplied password to be used with any domain account.
- Skeleton key attacks can be difficult to detect as use of the Skeleton Key is difficult to distinguish from ordinary user authentication using a valid account password.
- Common post-exploitation tools like Mimikatz include Skeleton Key functions, lowering the bar to carrying out such attacks.
- QOMPLX’s Identity Assurance (IA) software identifies Skeleton Key attacks as they happen by correlating authentication events with log and telemetry data and alerting infrastructure owners.
How Skeleton Key Attacks Work
Skeleton Key attacks are a post-exploitation technique that requires the adversary to have domain-level administrator access rights. Among other things, attackers need debug rights on the target domain controller (a standard permission for administrator accounts).
In a Skeleton Key attack, an adversary leverages their access to a domain-level administrator account to install malware on a target Active Directory domain controller. The malware has the ability to “patch” Windows LSASS (Local Security Authority Subsystem Service), enabling it to generate a new password (the Skeleton Key) for all users in the domain.
The Skeleton Key acts as its name suggests: as a universal password that will unlock any domain account to which it is attached. From the user’s perspective, nothing changes in a Skeleton Key attack: their normal password continues to grant them access to the domain. IT security staff attempting to identify malicious authentication will not be able to easily identify Skeleton Key use from legitimate domain log-ons.
Skeleton Keys are a powerful persistence tool for adversaries. The attack has been implemented into open source hacking tools like Mimikatz, which gives adversaries point-and-click access to these attacks. For adversaries, Skeleton Key attacks can be used as an alternative to Kerberos Golden Tickets to establish persistence and control over a domain.
QOMPLX Detection
Skeleton Key attacks involve a set of actions, behind the scenes, that make it possible to identify such attacks as they happen. First, Skeleton Key attacks generally force encryption downgrades to RC4_HMAC_MD5. However, encryption downgrades are not enough to signal a Skeleton Key attack is in process. QOMPLX IA identifies Skeleton Key attacks by monitoring domain controllers for the following complementary Windows events and processes:
- Event ID 4673: Sensitive Privilege Use
- Event ID 4611: A trusted logon process has been registered with the Local Security Authority
- Event ID 4688: A new process has been created
- Event ID 4689: A new process has exited.
These events are correlated with remote, automated attacks using tools such as Mimikatz to generate skeleton keys on compromised domains.
Additional Reading
- QOMPLX Knowledge Series
- QOMPLX Detections Reference
- QOMPLX The Importance of Lateral Movement Detection
- Active Directory Domain Controller Skeleton Key Malware & Mimikatz (ADSecurity)
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest (ADSecurity)