Forum Discussion
Suspected skeleton key attack (encryption downgrade)
We are seeing this error on a couple of recently built 2016 Servers:
Suspected skeleton key attack (encryption downgrade)
<server> offered a weaker encryption method (RC4) for the authentication of <user> on <laptop>
Simply setting the order of the Cipher suite seems to be a viable solution?
https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/
Can anyone confirm:
How to replicate the error?
Does this work in fixing it?
Thanks
Dave C
10 Replies
- EliOfek
Microsoft
Start with this guide to diagnose the problem
Unless you changed something in the cipher suite which is now using something not standard, I don't think it's the issue.
EliOfek So are we saying that if we see this there is zero chance it's just a mis-configured DC and that it's 100% confident that it's an instance of malware/malicious intent, etc?
Use this info to verify:
https://www.virusbulletin.com/virusbulletin/2016/01/paper-digital-bian-lian-face-changing-skeleton-key-malware
Run this to remove:
https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
And I'm guessing it's a case of checking all the rest of the DC's and Servers in the vicinity that can be touched as well...?
- EliOfek
David Caddick I am not familiar with the fiest link, the second one is to scan, and it's a good idea to use it and see what it says.
Unless you can provide a legit reason why in this case the encryption was downgraded, I would not role out a malware.
Do research deeper an engineer needs to look at the actual data, which is not suitable for a forum 🙂
if you need more confidence on how to handle it, i suggest to open a ticket with support who can help .
