Malware which infects Domain Controllers to bypass authentication
“Dell SecureWorks Counter Threat Unit(TM) (CTU)” originally discovered and reported on the malware. Skeleton Key malware is found on Domain Controllers. The malware is installed by attackers so that they can bypass single-factor authentication. This allows them to use the credentials of any user for privilege escalation and lateral movement while the targeted user can authenticate as normal. The malware lacks persistence since the program runs exclusively in the system RAM, and rebooting an infected domain controller will cause the attacker to have to re-infect the server from some previously installed backdoor/RAT, which was the case in the initial discovery of the malware.
In order to deploy the malware the attacker needs domain administrator privileges, which can be gained by dumping the credentials of an previously infected machine which either: has a stored domain administrator credential or an active domain administrator, and utilizing a pass-the-hash attack with the tool Mimikatz they can easily reuse the dumped domain administrator credentials.
Detection and Prevention
Since the malware runs in memory it would be difficult to spot, unless you’re familiar with what processes/services the malware uses. Since in this case the malware uses the PsExec.exe process, and the PsExec “-accepteula” command line argument specifically, monitoring Windows service installation events (event ID 7045) and service start/stop events (event ID 7036) for the PSEXESVC service would enable possibly spotting an infected domain controller. Since it also alters other settings, those changes can be scanned for by a remote tool. The tool: Aorato Skeleton Key Malware Remote DC Scanner can remotely scan domain controllers and check if they’re currently infected with Skeleton Key Malware, requires Python 2.7, and is a PowerShell script.
Since the malware is only successful against single-factor authentication, multi-factor authentication is a good preventative measure as it wouldn’t allow the attacker access to any service which is using it.
IOCs
These threat indicators can be used to search logs to detect activity related to Skeleton Key malware.
| Indicator | Type | Context |
| 66da7ed621149975f6e643b4f9886cfd | MD5 hash | Skeleton Key patch msuta64.dll |
| ad61e8daeeba43e442514b177a1b41ad4b7c6727 | SHA1 hash | Skeleton Key patch msuta64.dll |
| bf45086e6334f647fda33576e2a05826 | MD5 hash | Skeleton Key patch ole64.dll |
| 5083b17ccc50dd0557dfc544f84e2ab55d6acd92 | SHA1 hash | Skeleton Key patch ole64.dll |
