Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘Skeleton Key’ Malware Bypasses Authentication on AD Systems

Researchers at Dell SecureWorks’ Counter Threat Unit (CTU) have discovered malware that sidesteps authentication on Active Directory (AD) systems protected only by passwords.

Researchers at Dell SecureWorks’ Counter Threat Unit (CTU) have discovered malware that sidesteps authentication on Active Directory (AD) systems protected only by passwords.

Dubbed ‘Skeleton Key’, the researchers found the malware on a client network that used single-factor authentication for access to webmail and VPN – giving the threat actor total access to remote access services. According to CTU, the malware requires an attacker have domain administrator credentials in order to be deployed, and has been observed being used by attackers who have stolen credentials from critical servers, administrators’ workstations and the targeted domain controllers.

“What raises the alarm about the Skeleton Key malware is that it enables the adversary to trivially authenticate as any user, using their injected password, this could give them access to the target’s webmail or VPN if that was relying upon AD for authentication,” said Don Smith, CTU director of technology. “Consequently, the threat actors can get access to the victim’s email correspondence and network files. This activity looks like – and is – normal end user activity, so the chances of the threat actor raising any suspicion is extremely low and this is what makes this malware particularly stealthy.”

According to Dell SecureWorks, Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers. The only known Skeleton Key samples lack persistence and must be redeployed when a domain controller is restarted.

“CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers,” according to the company. “Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.”

The attackers use the PsExec tool to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. The malware does not transmit network traffic, making network-based detection ineffective, the researchers noted. However, the malware has been implicated in domain replication issues that may be proof of an infection.

“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” CTU researchers blogged. “These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism.”

Dell SecureWorks recommends organizations use multi-factor authentication for all remote access solutions, monitor Windows Service Control Manager events on Active Directory domain controllers and be mindful that process creation audit trails on workstations and servers, including AD domain controllers, may detect Skeleton Key deployments.

“Modification of the authentication process is rarely observed in the Windows world, and the CTU has not seen similar malware targeting Active Directory before,” Smith said. “The hackers behind the Skeleton Key malware would definitely require a reasonable degree of skill.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.