3/31/2023 0 Comments Dull key vs skeleton keyThe threat actors used the following process to deploy Skeleton Key as a 64-bit DLL file: This variant includes additional debug statements, which allow the Skeleton Key developer to observe the memory addresses involved in the patching process. The jump host is any system previously compromised by the threat actors' remote access malware. When investigating ole64.dll, CTU researchers discovered an older variant named msuta64.dll on a "jump host" in the victim's network (see Table 2). AttributeĪs required (typically downloaded using malware and then deleted after use) CTU researchers have observed threat actors deploying Skeleton Key using credentials stolen from critical servers, administrators' workstations, and the targeted domain controllers.ĬTU researchers initially observed a Skeleton Key sample named ole64.dll on a compromised network (see Table 1). Skeleton Key requires domain administrator credentials for deployment. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim's network to redeploy Skeleton Key on the domain controllers. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. Skeleton Key's authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers. Skeleton Key is deployed as an in-memory patch on a victim's AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. This malware was given the name "Skeleton Key."ĬTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Threat actors can use a password of their choosing to authenticate as any user. The shank can be solid or a barrel shank which resembles the barrel of a gun.Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. While some believe that a skeleton key derived it’s name because of it’s shape and resemblance to a skull, the name actually comes from the fact that the key is stripped down like a skeleton to it’s most essential parts: a cylindrical shank with a single rectangular tooth. Skeleton keys, also known as pass keys, are designed to open numerous locks, most commonly a warded lock. The purpose of a skeleton key is obviously to open a lock. Once again, tapping into our love of history, we did a little research on keys. And then there are the jewelry makers… the use of skeleton keys in hand crafted jewelry is currently a hot trend. Others are looking for the small keys that will fit the lock on an old antique cabinet while others just seem to have a fascination with antique keys and are looking to add to their collection. Not a day goes by at Southern Accents that someone doesn’t stop in and pick up a skeleton key… sometimes two, three or a whole handful! Many customers are looking to replace a lost key to open their old door.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |