👉 Overview
👀 What ?
Windows Skeleton Key is a malware attack that creates a master key in a Windows Active Directory domain controller, which bypasses the normal authentication process. This master key can be used to authenticate as any user without the need of their password.
🧐 Why ?
Understanding Windows Skeleton Key is important because it poses a significant threat to network security. It allows attackers to gain unauthorized access to resources on the network by impersonating any user. This can lead to data theft, disruption of services, and other harmful consequences.
⛏️ How ?
To protect against Windows Skeleton Key attacks, it's important to keep systems patched and updated, monitor network activity for abnormal behavior, and use strong, unique passwords for all accounts. It's also crucial to limit the use of domain admin credentials to prevent attackers from gaining high-level access.
⏳ When ?
The use of Windows Skeleton Key attacks has been observed since 2015.
⚙️ Technical Explanations
Windows Skeleton Key is a form of attack that takes advantage of a flaw in the Windows NT LAN Manager (NTLM) authentication protocol used by the Active Directory service. The attacker injects a malicious dynamic-link library (DLL) into the lsass.exe process running on a domain controller. This DLL intercepts the NTLM authentication requests and creates a master key that can successfully authenticate as any user. The attack is stealthy because it doesn't involve password cracking or changing account settings, and the malicious DLL is removed when the system reboots.