Unlocking Active Directory with the Skeleton Key Attack

Requirements for the Skeleton Key Attack

In order to perpetrate a Skeleton Key attack, the attacker must have Domain Admin rights. For complete compromise, the attack must be performed on every domain controller, but targeting even a single domain controller can be effective. Rebooting a domain controller will remove the malware.

Performing the Skeleton Key Attack

Performing the attack is very straightforward. You need only to run the following command on each domain controller: misc::skeleton.

After that, you can authenticate as any user by providing the same password, which by default is “mimikatz”. If the authentication is performed for a member of the Domain Admin group, you can get administrative access to a domain controller:

Note: You might get the message, “System error 86 has occurred. The specified network password is not correct.” In that case, try supplying the username in domainaccount format.

Preventing and Detecting Skeleton Key Attacks

The best way to defend against these attacks is to reduce the number of Domain Admin accounts available in your environment for attackers to hijack, and to implement proper security controls around the few accounts that remain. More broadly, you should eliminate all types of standing privileged accounts in your environment to minimize your attack surface area. The Netwrix Privilege Secure solution strengthens AD security by enabling you to replace privileged accounts with temporary accounts that provide just enough access to perform the task at hand and that are removed immediately when the job is complete.

Other mitigation and detection methods are provided by Sean Metcalf from ADSecurity and by Dell SecureWorks in Skeleton Key Malware Analysis.

FAQ