The Dell SecureWorks Counter Threat Unit has discovered a piece of malware they call “Skeleton Key” that bypasses authentication on Active Directory systems with single-factor password authentication.
Basically, on a Windows system, an AD domain controller is the server that responds to security authentication requests within a domain.
CTU discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and a virtual private network. This allowed the attacker to authenticate as any user, giving them unfettered access to remote access services. It also allows an attacker with physical access to a compromised system to unlock it by typing the injected password on the keyboard.
The malware affects 64-bit Windows systems running Windows 2008 R2, Windows Server 2008 and Windows 2003 R2.
Skeleton Key requires domain administrator credentials for deployment, and CTU researchers have observed threat actors deploying Skeleton Key using credentials stolen from critical servers, administrators’ workstations, and the targeted domain controllers.
Skeleton Key seems to lack persistence and, when a domain controller is restarted, it must be deployed again. But access to the system means that attackers could deploy malware on the victim’s network, which they can then remotely access to redeploy Skeleton Key.
Because Skeleton Key bypasses authentication and does not generate network traffic, network-based intrusion detection and intrusion prevention systems do not detect this threat.
To defend against Skeleton Key, CTU suggests applying multi-factor authentication for all remote access solutions. Administrators should also create an audit trail on workstations and servers (including AD domain controllers) that could help detect Skeleton Key deployments. And, finally, monitor events on AD domain controllers with Windows Service Control Manager to look for unexpected service installation events and service start/stop events.