Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

‘Skeleton Key’ Malware Bypasses Authentication on AD Systems

Researchers at Dell SecureWorks’ Counter Threat Unit (CTU) have discovered malware that sidesteps authentication on Active Directory (AD) systems protected only by passwords.

Researchers at Dell SecureWorks’ Counter Threat Unit (CTU) have discovered malware that sidesteps authentication on Active Directory (AD) systems protected only by passwords.

Dubbed ‘Skeleton Key’, the researchers found the malware on a client network that used single-factor authentication for access to webmail and VPN – giving the threat actor total access to remote access services. According to CTU, the malware requires an attacker have domain administrator credentials in order to be deployed, and has been observed being used by attackers who have stolen credentials from critical servers, administrators’ workstations and the targeted domain controllers.

“What raises the alarm about the Skeleton Key malware is that it enables the adversary to trivially authenticate as any user, using their injected password, this could give them access to the target’s webmail or VPN if that was relying upon AD for authentication,” said Don Smith, CTU director of technology. “Consequently, the threat actors can get access to the victim’s email correspondence and network files. This activity looks like – and is – normal end user activity, so the chances of the threat actor raising any suspicion is extremely low and this is what makes this malware particularly stealthy.”

According to Dell SecureWorks, Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers. The only known Skeleton Key samples lack persistence and must be redeployed when a domain controller is restarted.

“CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers,” according to the company. “Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.”

The attackers use the PsExec tool to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. The malware does not transmit network traffic, making network-based detection ineffective, the researchers noted. However, the malware has been implicated in domain replication issues that may be proof of an infection.

“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” CTU researchers blogged. “These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism.”

Advertisement. Scroll to continue reading.

Dell SecureWorks recommends organizations use multi-factor authentication for all remote access solutions, monitor Windows Service Control Manager events on Active Directory domain controllers and be mindful that process creation audit trails on workstations and servers, including AD domain controllers, may detect Skeleton Key deployments.

“Modification of the authentication process is rarely observed in the Windows world, and the CTU has not seen similar malware targeting Active Directory before,” Smith said. “The hackers behind the Skeleton Key malware would definitely require a reasonable degree of skill.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...