Skeleton Keys

The Skeleton Key malware "patches" the security system enabling a new master password to be accepted for any domain user, including admins.

This enables the attacker to logon as any user they want with the master password (skeleton key) configured in the malware.

"Joe User" logs in using his usual password with no changes to his account. The attacker can log in as Joe using the skeleton key password and it is seen as a valid logon.

Attack

In order to perpetrate this attack, the attacker must have Domain Admin rights. This attack must be performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective. Rebooting a domain controller will remove this malware and it will have to be redeployed by the attacker.

To start the attack we can simply use mimkatz as it has this technique available a few command lines and we can reach our goal

Now we can access anywhere on our Domain with the default password "mimikatz" and we can authenticate utilizing any of the Domain Admins available in the Domain.

This will work for any user not just Domain Admins, this is a Master Password for everyone.

We do have to take in consideration that this technique will stop working when the DC is rebooted, as this will patch the "lsass.exe" in memory and once rebooted this will stop.

Last updated