![]() It attaches to the memory space of the lsass.exe process. These replication issues may be explained by subtle bugs in this version of Skeleton Key’s patches to the Active Directory’s authentication functions, which allow most authentication use cases to operate as normal, but which cause replication between domain controllers eventually to cease functioning. These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism. Shortly after each deployment of Skeleton Key malware observed by Dell SecureWorks CTU analysts, domain controllers experienced replication issues that could not be addressed by Microsoft support, and eventually required a reboot to resolve. Test for successful Skeleton Key deployment using ‘net use’ commands with an Active Directory (AD) account and the password that corresponds to the configured NTLM hash.Ī version of Skeleton Key malware observed by Dell SecureWorks was implicated in domain replication issues that may indicate an infection. After Skeleton Key is deployed, the attacker can authenticate as any user using the attacker’s configured NTLM password hash: psexec -accepteula \\%TARGET-DC% rundll32 ii ĭelete the Skeleton Key DLL file from C:\WINDOWS\system32\ on the targeted domain controllers.ĭelete the Skeleton Key DLL file from the staging directory on the jump host. The attacker’s chosen password is formatted as an NTLM password hash rather than being provided in clear text. Use the PsExec utility to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. ![]() If the domain administrator credentials are valid, use these to copy the Skeleton Key DLL to C:\WINDOWS\system32\ on the target domain controllers. Memory of another accessible server on the victim's network In the wild, Skeleton Key has been distributed as a 64-bit DLL file with the following file names: Once installed on the DC, this malware, which is named ‘Skeleton Key malware’ (hereafter it will be referred to simply as Skeleton Key), allows the attacker to play a ‘Bian Lian’ (face-changing) trick – the attacker can log into the affected domain with any user account and perform any number of actions on the system including, but not limited to, sending/receiving emails, accessing private files, etc. In January 2015, Dell SecureWorks researchers discovered a new breed of malware, a threat that specifically targets DCs, in an Advanced Persistent Threat (APT) attack. The DC is responsible for security authentications in a Windows domain. In particular, ‘a domain controller (DC) is a server that is running a version of the Windows Server operating system and has Active Directory Domain Services installed’. Windows servers have been widely deployed, and are commonly used by organizations as part of network infrastructures. This paper also discusses how on-the-wire detection and in-memory detection can be used to address some of these challenges. This can pose a challenge for anti-malware engines in detecting the compromise. The Skeleton Key malware can be removed from the system after a successful infection, while leaving the compromised authentication in place. ![]() In particular, it details the tricks used by the malware to downgrade the encryption algorithm used by Kerberos, from AES to RC4-HMAC (NTLM). It unveils the tricks used by the malware to tamper with NT LAN Manager (NTLM) and Kerberos/Active Directory authentication. This paper analyses the technical details of the Skeleton Key malware. When the Skeleton Key malware is installed on a domain controller (DC), the attacker can play the face-changing trick on the domain by logging in as any user it chooses and performing any number of actions on the system including, but not limited to, sending/receiving emails, accessing private files, local logging into computers in the domain, unlocking computers in the domain, etc. A new breed of advanced persistent threat (APT), discovered by Dell SecureWorks and known as ‘Skeleton Key’, is using this face-changing trick. Interestingly, this ‘face-changing’ trick is not only used in Sichuan opera, it has also been adopted in the digital world by malware. ![]() Bian Lian (face changing) is an ancient Chinese dramatic art that stems from Sichuan opera – where performers can change their face masks almost instantaneously. ![]()
0 Comments
Leave a Reply. |