There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware injects itself into LSASS and creates a master password that will work for any account in the domain. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.
Not surprisingly, this is one of the many attacks that is packaged and very easy to perform using Mimikatz. Let’s take a look at how it works.
In order to perpetrate this attack, the attacker must have Domain Admin rights. This attack must be performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective. Rebooting a domain controller will remove this malware and it will have to be redeployed by the attacker.
Performing the attack is very straightforward to do. It only requires the following command to be run on each domain controller: misc::skeleton. After that, you can authenticate as any user with the default password of Mimikatz.
Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller:
Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domainaccount format for the username and it should work.
The best prevention for these attacks is to reduce the amount of Domain Admins in your environment and to have proper security controls around those accounts. Ensure they cannot logon to lesser privileged machines where their hashes may be stolen by attackers. Several other mitigations are covered by Sean Metcalf here and by Dell SecureWorks here.
How Attackers Are Stealing Your Credentials with Mimikatz:
To sign up for the Mimikatz blog series, please click here.
To register for the Mimikatz webinar, please click here.
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.