The researchers are have named the malware Skeleton Key.
“Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal,” the Dell SecureWorks researchers explained in an analysis of the malware. “Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.”
Because Skeleton Key requires domain administrator credentials for deployment, the researchers have found attackers deploying Skeleton Key using login credentials stolen from critical servers, administrators’ workstations, and the targeted domain controllers.
Dell SecureWorks recommends that organizations take the following steps to protect themselves from the malware:
- Multi-factor authentication for all remote access solutions, including VPNs and remote email, prevents threat actors from bypassing single-factor authentication or authenticating using stolen static credentials.
- A process creation audit trail on workstations and servers, including AD domain controllers, may detect Skeleton Key deployments. Specifically, organizations should look for the following artifacts:
- Unexpected PsExec.exe processes and the use of the PsExec “-accepteula” command line argument
- Unexpected rundll32.exe processes
- Process arguments that resemble NTLM hashes (32 characters long, containing digits 0-9 and characters A-F)
- Monitoring Windows Service Control Manager events on AD domain controllers may reveal unexpected service installation events (event ID 7045) and service start/stop events (event ID 7036) for PsExec’s PSEXESVC service.
Pwnie Express CEO Paul Paget told eSecurity Planet by email that the discovery of Skeleton Key should serve as a vivid reminder of how important it is to know what devices are on enteprise networks. “Hackers’ ability to use the malware is reportedly dependent on them having an existing foothold in the network,” he said.
“This foothold, which is often a result of a compromised or rogue device on the network, potentially unlocks access to parts of the network that they can exploit. … The first step to defending against this new malware is keeping unsecured or compromised devices off the network,” Paget added.