hacktricks/windows-hardening/active-directory-methodology/skeleton-key.md

Skeleton Key

htARTE (HackTricks AWS Red Team Expert) qa'vIn HackTricks AWS Red Team Expert!

HackTricks vItlhutlh:

• qaStaHvIS company HackTricks advertise 'ej HackTricks PDF download SUBSCRIPTION PLANS qaStaHvIS.
• official PEASS & HackTricks swag ghItlh.
• The PEASS Family qay'be' NFTs ghItlh.
• 💬 Discord group joq telegram group](https://t.me/peass) 'ej Twitter 🐦 @carlospolopm.
• Hacking tricks submit PRs HackTricks 'ej HackTricks Cloud github repos Share.

Skeleton Key Attack

Skeleton Key attack Active Directory authentication bypass attackers injecting a master password domain controller 'ej authenticate as any user password ghItlh access domain unrestricted granting.

Mimikatz attack perform. Domain Admin rights prerequisite, attacker domain controller target comprehensive breach ensure. attack temporary effect, restarting the domain controller eradicates the malware, reimplementation sustained access necessitate.

Executing the attack single command: misc::skeleton.

Mitigations

Mitigation strategies attacks monitoring specific event IDs installation of services use of sensitive privileges reveal. System Event ID 7045 Security Event ID 4673 suspicious activities reveal. lsass.exe protected process significantly hinder attackers' efforts, kernel mode driver employ attack complexity increase.

PowerShell commands enhance security measures following:

• detect installation of suspicious services: Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}

• detect Mimikatz's driver: Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*" -and $_.message -like "*mimidrv*"}

• fortify lsass.exe, protected process enable: New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose

Verification system reboot crucial protective measures successfully applied. achievable following: Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*

References

• https://blog.netwrix.com/2022/11/29/skeleton-key-attack-active-directory/

htARTE (HackTricks AWS Red Team Expert) qa'vIn HackTricks AWS Red Team Expert!

HackTricks vItlhutlh:

• qaStaHvIS company HackTricks advertise 'ej HackTricks PDF download SUBSCRIPTION PLANS qaStaHvIS.
• official PEASS & HackTricks swag ghItlh.
• The PEASS Family qay'be' NFTs ghItlh.
• 💬 Discord group joq telegram group](https://t.me/peass) 'ej Twitter 🐦 @carlospolopm.
• Hacking tricks submit PRs HackTricks 'ej HackTricks Cloud github repos Share.