Identity is one of the cornerstones of application security. On windows domains, identity is managed through Active Directory (AD) Domain service on the Domain Controller (DC). Therefore, it should come as no surprise that advanced attackers are actively targeting the DC. Earlier this year, Dell Secureworks had shared a report on an advanced attack campaign utilizing a dedicated DC malware, named “Skeleton Key” Malware. The Skeleton Key malware modifies the DC behavior to accept authentications specifying a secret ”Skeleton key” (i.e. “master key”) password, thus enabling the attackers to login from any computer as any domain user without installing any additional malware while keeping the original users’ authentication behavior. On this talk, we will explore the unique interaction between such malware functionality and the Kerberos authentication protocol; We will put a special emphasis on its manifestation over the network traffic. We will also share a script that implements the remotes detection of the skeleton key malware functionality. The talk was given on TCE2015 summer school, Technion, Israel