Skeleton Key Malware modifies the Active Directory authentication process

Pierluigi Paganini January 14, 2015

Dell SecureWorks detected the Skeleton Key malware, which modifies authentication process on Active Directory (AD) systems protected by only passwords.

The experts at Dell SecureWorks Counter Threat Unit(TM) (CTU) have recently discovered a malware dubbed Skeleton Key that bypasses single-factor authentication on Active Directory (AD) systems. The attackers can use to have total access to remote access services with a password of their choosing to authenticate as any user.

The researchers at CTU have discovered the Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, the malware is deployed as an in-memory patch on a targeted AD domain controllers to allow attacker to authenticate as any user, while legitimate users can continue to authenticate without noticing the infection.

Attacks which implements the modification of the authentication process are rarely observed by security experts and CTU researchers confirmed they haven’s seen similar malware targeting Active Directory before.

 “Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.” states a blog post published by CTU.

In order to spread the Skeleton Key the attacker requires have domain administrator credentials, circumstance common when criminal crews stole stolen credentials from victims or acquire them on the underground market.

“What raises the alarm about the Skeleton Key malware is that it enables the adversary to trivially authenticate as any user, using their injected password, this could give them access to the target’s webmail or VPN if that was relying upon AD for authentication,” explained Don Smith, CTU director of technology, at “Consequently, the threat actors can get access to the victim’s email correspondence and network files. This activity looks like – and is – normal end user activity, so the chances of the threat actor raising any suspicion is extremely low and this is what makes this malware particularly stealthy.”

The samples of malware analyzed by the experts at CTU lack persistence, this means that threat actors need to re-deployed the malicious agent every time the domain controller is restarted.

“CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers,” continues the post. “Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.”

The researchers discovered that attackers used the PsExec tool to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. The attackers choose a password for their authentication, then it is formatted as an NTLM password hash and it is provided in clear text.

skeleton key

CTU researchers explained that network traffic analysis is ineffective, anyway, it could be detected because it is associated with domain replication issues that may indicate an infection.

“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” CTU researchers blogged. “These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism.”

CTU researchers have no doubts about the abilities of malware authors, Skeleton Key malware was the results of specialists with a “reasonable degree of skill.”

In order to detect the presence of the Skeleton Key malware, Dell SecureWorks recommends organizations use multi-factor authentication for access to its services, monitor processes running on workstations and servers and monitor Windows Service Control Manager events on Active Directory domain controllers.

Pierluigi Paganini

(Security Affairs –  Skeleton Key, malware)

you might also like

leave a comment