Lateral Movement - Skeleton Key Attack

Introduction

The Skeleton Key attack is a sophisticated technique that allows attackers to bypass Active Directory authentication by injecting a master password into the domain controller. This enables the attacker to authenticate as any user without their password, effectively granting them unrestricted access to the domain.

It can be performed using Mimikatz. To carry out this attack, Domain Admin rights are prerequisite, and the attacker must target each domain controller to ensure a comprehensive breach. However, the attack's effect is temporary, as restarting the domain controller eradicates the malware, necessitating a reimplementation for sustained access.

Executing the attack requires a single command: misc::skeleton.

Prerequisities

• Attacker must have obtained Domain Admin rights

• Mimikatz running on a Domain Controller

• For most effective use all Domain Controllers will need to be exploited however, this is not a hard requirement

• Rebooting a Domain Controller will remove the malware

Practical

Mimikatz

After Mimikatz has been dropped onto a Domain Controller and executed with Domain Admin privileges the following simple command can be used to perform the exploit.

privilege::debug #Check for '20' OK debug rights.
misc::skeleton

REFERENCES

• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/skeleton-key

• https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/persistence/skeleton-key-attack