Written by: Vikram Navali, Senior Technical Product Manager – Once an attacker has gained domain admin rights to your Active Directory, there are several techniques they can use and maintain persistence within the Windows environment. One such technique is Modify Authentication Process, where adversaries may modify the standard authentication process on a Domain Controller (DC).
An adversary can use Skeleton Key malware to inject a master password into the domain controllers with the intent of creating a backdoor. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until a reboot of the domain controller erases the skeleton key from memory).
Attackers can use the skeleton key module available in the Mimikatz tool to perform this attack. Mimikatz injects a skeleton key into LSASS on the DC and creates a backdoor with the master password “mimikatz” that will work with any valid domain user, including admins. Attackers can continue to move laterally to fulfill their objectives after injecting a skeleton key on a Domain Controller. They can use the following command on the DC to inject the skeleton key into LSASS.
mimikatz.exe “privilege::debug” “misc::skeleton” exit
The attacker does not know the password of the domain administrator named “poctest”. However, the attacker can use the master password “mimikatz” to map the admin share.
C:\Windows\system32>net use z: \\root.attivo1.local\Share /user:poctest mimikatz
The command completed successfully.
The attacker can access the share on the domain controller without cracking the password for user “poctest”.
Detect and Prevent the Skeleton Key Attack
The Attivo Networks ADAssessor solution provides ongoing visibility into the critical domain, computer, and user-level exposures for quick remediation. The solution then continues monitoring AD for activities that signify a possible attack.
The ADSecure solution defends essential Active Directory (AD) objects from an attacker’s data gathering activities, such as user and system accounts, privileged group members, domain controllers, service principal names (SPNs), and others, without interfering with the production AD environment.
The following lists a few prevention strategies a defender or security team can use to protect their Domain Controllers from being patched with an alternate authentication process:
- Protect domain-level admin (DLA) accounts (Administrators, Domain Admin, and Enterprise Admins).
- Protect from unauthorized queries or privilege escalation attempts to the AD controller using ADSecure.
- Patch all DCs (kb3011780).
- Security admins can configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. Follow the procedure to enable or disable LSA protection on a single computer or use Group Policy.
- Research by Dell SecureWorks Counter Threat Unit also observed that reboot of the Domain Controller had removed the Skeleton Key’s authentication bypass.
Attivo Networks recommends using security controls and periodic assessments to ensure Domain Controls are protected against advanced attacks like the Skeleton Key attack. For more information, please visit https://attivonetworks.com/product/adassessor/ and https://attivonetworks.com/product/adsecure/.