{"id":1275,"date":"2015-01-19T19:12:21","date_gmt":"2015-01-20T00:12:21","guid":{"rendered":"http:\/\/adsecurity.org\/?p=1275"},"modified":"2015-04-12T23:48:09","modified_gmt":"2015-04-13T03:48:09","slug":"attackers-can-now-use-mimikatz-to-implant-skeleton-key-on-domain-controllers-backdoor-your-active-directory-forest","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=1275","title":{"rendered":"Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest"},"content":{"rendered":"

Once an attacker has gained Domain Admin rights to your Active Directory environment, there are several methods for keeping privileged access. Skeleton Key is an ideal persistence method for the modern attacker. More information on Skeleton Key is in my earlier post<\/a>.<\/p>\n

Note that the behavior documented in this post was observed in a lab environment using the version of Mimikatz shown in the screenshot. There are likely differences in the Skeleton Key malware documented by Dell SecureWorks and the Mimikatz skeleton key functionality. Mimikatz effectively “patches” LSASS to enable use of a master password with any valid domain user. Rebooting the DC refreshes the memory which removes the “patch”.<\/p>\n

Implanting the Mimikatz Skeleton Key on one or multiple Domain Controllers:<\/strong><\/span><\/h4>\n

Mimikatz can now inject a skeleton key into LSASS on the Domain Controller by running the following command on the DC:<\/p>\n

mimikatz.exe “privilege::debug” “misc::skeleton” exit<\/p><\/blockquote>\n

\"Mimikatz-Skeleton-Implant\"<\/a><\/p>\n

When there are multiple Domain Controllers in an Active Directory site, all of them need the Skeleton Key implant to ensure the skeleton key master password is accepted as the user’s valid password.. Since the client discovers a Domain Controller using DCLocator, the DC the client selects is effectively random. If all the DCs don’t have skeleton key configured, the master password won’t work when the client authenticates to a DC without skeleton key.<\/p>\n

Scenario:<\/strong><\/p>\n

Either the attacker exploits MS14-068 <\/a>or has the KRBTGT <\/a>NTLM password hash and uses it to generate a Kerberos Golden Ticket to impersonate a valid Domain Admin account. The attacker leverages the forged Kerberos TGT ticket to access the Domain Controllers via PowerShell remoting. PowerShell remoting runs over WinRM and provides a shell running on the remote computer (much like SSH). In this case, the attacker runs a PowerShell script that uses “invoke-command” to run the mimikatz command on the DCs.<\/p>\n

\"Mimikatz-Skeleton-Implant-GoldenTicket-PSRemotingScript\"<\/a><\/p>\n

Domain Controller Security Events When Implanting the Mimikatz Skeleton Key:<\/strong><\/span><\/h4>\n

When implanting the skeleton key remotely using Mimikatz <\/a>the following events are logged on the Domain Controller.
\nEvent Id 4673 Sensitive Privilege Use<\/strong>,<\/p>\n

\"Mimikatz-SkeletonKeyImplant-DCSecurityEvent-4673\"<\/a><\/p>\n

Event 4611: A trusted logon process has been registered with the Local Security Authority.<\/strong><\/p>\n

\"Mimikatz-SkeletonKeyLocalImplant-DCSecurityEvent-4611\"<\/a><\/p>\n

If Process Tracking (logging) is enabled, there are two events that are logged reliably.<\/p>\n

Event 4688: A new process has been created.<\/strong><\/p>\n

\"Mimikatz-SkeletonKeyLocalImplant-DCSecurityEvent-4688\"<\/a><\/p>\n

Event 4689: A new process has exited.<\/strong><\/p>\n

\"Mimikatz-SkeletonKeyLocalImplant-DCSecurityEvent-4689\"<\/a><\/strong><\/p>\n

Authenticating with the Mimikatz Skeleton Key:<\/strong><\/span><\/h4>\n

Testing user password and user account with skeleton key password.
\nNote that both passwords are accepted – the valid user password and the skeleton key master password!<\/p>\n

\"Mimikatz-SkeletonKey-ShareConnect-Admin-DifferentPassword-Success\"<\/a><\/p>\n

Testing Domain Admin account with password & skeleton key password.
\nNote that both passwords are accepted – the valid user password and the skeleton key master password!<\/p>\n

\"Mimikatz-SkeletonKey-ShareConnect-DifferentPassword-Success\"<\/a><\/p>\n

\u00a0Skeleton Key Mitigation:<\/strong><\/span><\/h4>\n