Skeleton Keys (PTA Abuse)

PTA (Pass through authentication)

What Is Skeleton Keys (PTA Abuse)

Allows TA to backdoor or MiTM the pass through-authentication mechanism used for authentication.

When a user logs into Azure AD, it is redirected to the PTA agent which checks with the DC if the password is correct
When password is correct, the PTA agent responds to Azure AD and grants access.

Attack

Adam Chester Blog:

@_xpn_ - Azure AD Connect for Red TeamersXPN InfoSec Blog

Attack flow

Inject a DLL into the Azure AD Sync process (AzureADConnectAuthenticationAgentService.exe).
From within the injected DLL, patch the LogonUserW function to jump to our hook.
When our hook is invoked, parse and store the credentials.
Forward the authentication request on to LogonUserExW.
Return the result.

PTASpy:

https://github.com/Gerenios/public/blob/master/PTASpy.cpp

If Hybrid Identity Administrator account is compromised, the TA can download and install AD connect agent on the attacker machine and harvest more credentials.

DFIR

Skeleton Keys (PTA Abuse)

What Is Skeleton Keys (PTA Abuse)

Attack

Adam Chester Blog:

PTASpy:

Detect

What logs are available?

Mitigate