Stopping Skeleton Key Malware from Causing Data Breaches

Proving the old adage that “criminals never sleep,” a new piece of malware is making headlines. The aptly named Skeleton Key malware, detected in mid-January, bypasses the password authentication protection of Active Directory. Just as skeleton keys from the last century unlocked any door in a building, Skeleton Key malware can unlock access to any AD protected resource in an organization. Understanding Skeleton Key, along with methods of prevention, detection, and remediation, will empower IT admins in their fight against this latest security threat.

AD is the cornerstone of many organization’s network security. It is ubiquitously integrated with virtually every type of IT system. From standard file servers to financial systems to VPN concentrators, AD is often the component authenticating username and passwords. Installed on an AD domain controller, Skeleton Key enables an attacker to authenticate as any AD user. Domain Users, Domain Admins, and even Enterprise Admins are all equally compromised. Scary stuff indeed!

Two key attributes inhibit Skeleton Key infections spreading. The malware requires direct domain controller access for installation and is only memory resident once installed. Requiring domain controller access means the DC must be compromised using other methods before Skeleton Key installation. More likely than not, Skeleton Key will travel with other malware. The initial malware opens the door to the DC allowing Skeleton Key to blast open attacker access to the entire AD protected network. Proving this point, Skeleton Key has recently been found on systems infected with backdoor.Winnti. The backdoor.Winnti trojan likely created the backdoor access for Skeleton Key installation.

Skeleton Key is an in-memory patch. This makes the malware memory resident only. A simple reboot of the DC wipes Skeleton Key from memory requiring reinstallation. Unfortunately, DCs often go weeks or even months between reboots. Likeliness of reinfection after reboot depends on the malware accompanying Skeleton Key. With slight modification, Trojans such as backdoor.Winnti might automate Skeleton Key reinfection after a DC reboot.

The best defense against Skeleton Key is multifaceted. Begin with basics including installing Windows Updates and updating malware protection on all systems in the network. Microsoft may release patches at any time that hinder Skeleton Key’s effectiveness. Malware protection, in addition to detecting Skeleton Key in memory on an infected DC, may detect other enabling threats such as backdoor.Winnti on the network.

Regularly scheduled reboots of domain controllers wipe Skeleton Key from memory. Well-designed AD environments have multiple DCs allowing reboots without network downtime. Environments with single DCs should schedule reboots at off hours. Reboots won’t prevent reinfection, but they will require attackers to work harder in order to maintain access to your network via Skeleton Key.

Use robust auditing. Skeleton Key leverages PSExec to compromise systems. PSExec logs Event IDs 7045 and 7036 when used. Auditing the Event Logs for these IDs will help identify malicious vs. expected uses of the PSExec utility. Also audit all logons using domain or enterprise admin credentials anywhere on the network. Installation of Skeleton Key requires domain admin privileges or higher. Since these high level logons should be limited, identifying unusual logon activity may identify an infection quickly. Likewise, monitoring for unexpected password changes for domain and enterprise admin accounts may expose an attacker at work.

Implement multi-factor authentication. Skeleton Key only bypasses single-factor password based authentication. If a second factor is in use, such as biometrics or tokens, Skeleton Key is ineffective. While implementing multi-factor authentication requires some investment, its benefits are widespread.

Skeleton Key’s potential to wreak havoc is significant. A Skeleton Key infection provides an attacker access to confidential files, sensitive email, and even powerful financial systems. Diligent IT pros must take sensible steps now to prevent their organization from becoming a Skeleton Key case study.


During his 25+ years in the IT industry, John has enjoyed the opportunity to work as a consultant, architect, executive, speaker, and author. He's been involved in multi-national networking, messaging, and communications projects as well as finding solutions for small businesses allowing them to use technology to increase business opportunity and decrease operational complexity. John is a contributing editor for the Petri.com online community as well as senior contributor to Tom’s IT Pro. John has authored material for Redmond Magazine, Netwrix blog, and both Thomson-Reuters' Aspatore Books and Exec Blueprints publications. He also develops exciting technology training courses for the leader in IT training, Pluralsight. John often speaks at IT events around the nation. When he’s not presenting at a conference, John can often be found leading informative webinars. John is proud to be honored as a multi-year Microsoft MVP and for receiving NEOSA’s CIO of the Year Award.