A Skeleton Key attack involves implanting a malicious patch into a Windows domain controller’s authentication process—specifically within LSASS (Local Security Authority Subsystem Service). This implant allows an attacker to use a universal "master" password (the skeleton key) to authenticate as any user, bypassing the normal password verification without altering stored credentials.
Mechanism:
The Skeleton Key attack works by modifying the code path within LSASS on a domain controller. The malicious implant intercepts authentication requests and accepts a predefined universal password regardless of the actual user password. Because it operates in-memory and does not alter the Active Directory database, it can remain undetected for extended periods.
Objective:
The attacker must first gain administrative or SYSTEM-level access on a domain controller.
Process:
Once access is achieved, the attacker deploys a malicious DLL or patch that modifies the authentication routines in LSASS.
Result:
With the skeleton key in place, the attacker can authenticate as any user, enabling domain-wide access without altering the stored password hashes.
Anomalous Authentication Behavior:
Monitor for unexpected logon events where the account appears to bypass normal password verification. Look for patterns where a universal password might be used.
LSASS Integrity Checks:
Use integrity monitoring tools to ensure that critical LSASS modules remain unmodified.
Forensic Analysis:
Analyze memory dumps from domain controllers for signs of injected or modified code.