• QOMPLX Knowledge
  • Aug 4, 2021
  • By QOMPLX

QOMPLX Knowledge: Skeleton Key Attack Detection

QOMPLX Knowledge: Skeleton Key Attack Detection

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Attackers who gain administrative access to your domain controller are eager to obtain “persistence:” the ability to continue operating in the environment despite attempts to remove them. So-called “skeleton key” passwords are a common means of doing this once attackers have obtained administrative access to domain controllers.

Key Points

  • Skeleton keys are a common post-compromise technique in which attackers dynamically “patch” the Windows LSASS process, allowing an attacker supplied password to be used with any domain account.
  • Skeleton key attacks can be difficult to detect as use of the Skeleton Key is difficult to distinguish from ordinary user authentication using a valid account password.
  • Common post-exploitation tools like Mimikatz include Skeleton Key functions, lowering the bar to carrying out such attacks.
  • QOMPLX’s Identity Assurance (IA) software identifies Skeleton Key attacks as they happen by correlating authentication events with log and telemetry data and alerting infrastructure owners.

How Skeleton Key Attacks Work

Skeleton Key attacks are a post-exploitation technique that requires the adversary to have domain-level administrator access rights. Among other things, attackers need debug rights on the target domain controller (a standard permission for administrator accounts).

In a Skeleton Key attack, an adversary leverages their access to a domain-level administrator account to install malware on a target Active Directory domain controller. The malware has the ability to  “patch” Windows LSASS (Local Security Authority Subsystem Service), enabling it to generate a new password (the Skeleton Key) for all users in the domain.

The Skeleton Key acts as its name suggests: as a universal password that will unlock any domain account to which it is attached. From the user’s perspective, nothing changes in a Skeleton Key attack: their normal password continues to grant them access to the domain. IT security staff attempting to identify malicious authentication will not be able to easily identify Skeleton Key use from legitimate domain log-ons.

Skeleton Keys are a powerful persistence tool for adversaries. The attack has been implemented into open source hacking tools like Mimikatz, which gives adversaries point-and-click access to these attacks. For adversaries, Skeleton Key attacks can be used as an alternative to Kerberos Golden Tickets to establish persistence and control over a domain.

QOMPLX Detection

Skeleton Key attacks involve a set of actions, behind the scenes, that make it possible to identify such attacks as they happen. First, Skeleton Key attacks generally force encryption downgrades to RC4_HMAC_MD5. However, encryption downgrades are not enough to signal a Skeleton Key attack is in process. QOMPLX IA identifies Skeleton Key attacks by monitoring domain controllers for the following complementary Windows events and processes:

  • Event ID 4673: Sensitive Privilege Use
  • Event ID 4611: A trusted logon process has been registered with the Local Security Authority
  • Event ID 4688: A new process has been created
  • Event ID 4689: A new process has exited.

These events are correlated with remote, automated attacks using tools such as Mimikatz to generate skeleton keys on compromised domains.

Additional Reading

You might also be interested in

QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
QOMPLX Knowledge: Detecting Pass-the-Hash Attacks

QOMPLX Knowledge: Detecting Pass-the-Hash Attacks

Pass the Hash is a common post-exploitation attack. This post discusses how QOMPLX Identity Assurance detect PtH attacks.

Read more
QOMPLX Knowledge: Honey Account Logins and Ticket Requests

QOMPLX Knowledge: Honey Account Logins and Ticket Requests

Major amounts of data live within insurance carriers but the challenge lies in getting it out in useful form. Learn how to extract the value from data without the need to replace your existing systems, spend thousands of hours coding or rekeying data, or commit millions to a new data architecture.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.