• QOMPLX Knowledge
  • Aug 4, 2021
  • By QOMPLX

QOMPLX Knowledge: Skeleton Key Attack Detection

QOMPLX Knowledge: Skeleton Key Attack Detection

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Attackers who gain administrative access to your domain controller are eager to obtain “persistence:” the ability to continue operating in the environment despite attempts to remove them. So-called “skeleton key” passwords are a common means of doing this once attackers have obtained administrative access to domain controllers.

Key Points

  • Skeleton keys are a common post-compromise technique in which attackers dynamically “patch” the Windows LSASS process, allowing an attacker supplied password to be used with any domain account.
  • Skeleton key attacks can be difficult to detect as use of the Skeleton Key is difficult to distinguish from ordinary user authentication using a valid account password.
  • Common post-exploitation tools like Mimikatz include Skeleton Key functions, lowering the bar to carrying out such attacks.
  • QOMPLX’s Identity Assurance (IA) software identifies Skeleton Key attacks as they happen by correlating authentication events with log and telemetry data and alerting infrastructure owners.

How Skeleton Key Attacks Work

Skeleton Key attacks are a post-exploitation technique that requires the adversary to have domain-level administrator access rights. Among other things, attackers need debug rights on the target domain controller (a standard permission for administrator accounts).

In a Skeleton Key attack, an adversary leverages their access to a domain-level administrator account to install malware on a target Active Directory domain controller. The malware has the ability to  “patch” Windows LSASS (Local Security Authority Subsystem Service), enabling it to generate a new password (the Skeleton Key) for all users in the domain.

The Skeleton Key acts as its name suggests: as a universal password that will unlock any domain account to which it is attached. From the user’s perspective, nothing changes in a Skeleton Key attack: their normal password continues to grant them access to the domain. IT security staff attempting to identify malicious authentication will not be able to easily identify Skeleton Key use from legitimate domain log-ons.

Skeleton Keys are a powerful persistence tool for adversaries. The attack has been implemented into open source hacking tools like Mimikatz, which gives adversaries point-and-click access to these attacks. For adversaries, Skeleton Key attacks can be used as an alternative to Kerberos Golden Tickets to establish persistence and control over a domain.

QOMPLX Detection

Skeleton Key attacks involve a set of actions, behind the scenes, that make it possible to identify such attacks as they happen. First, Skeleton Key attacks generally force encryption downgrades to RC4_HMAC_MD5. However, encryption downgrades are not enough to signal a Skeleton Key attack is in process. QOMPLX IA identifies Skeleton Key attacks by monitoring domain controllers for the following complementary Windows events and processes:

  • Event ID 4673: Sensitive Privilege Use
  • Event ID 4611: A trusted logon process has been registered with the Local Security Authority
  • Event ID 4688: A new process has been created
  • Event ID 4689: A new process has exited.

These events are correlated with remote, automated attacks using tools such as Mimikatz to generate skeleton keys on compromised domains.

Additional Reading

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.