8.4 - Skeleton Key
Skeleton Key
Skeleton Key is a Domain Controller (DC) post-exploitation persistence technique where the lsass.exe
process is patched in memory to accept a master password for all users.
Key Concepts
Discovered by Dell SecureWorks in malware named Skeleton Key.
Once injected, any valid username can be used to authenticate with a universal password (usually
mimikatz
).Does not survive reboots, as it’s a memory patch.
Can cause instability and interfere with services like Active Directory Certificate Services (AD CS).
Requires Domain Admin privileges.
Usage with Mimikatz (PowerShell Remoting)
To inject the Skeleton Key into lsass.exe
on a Domain Controller:
After injection, login to any machine in the domain using any valid username and the password
mimikatz
.
Example:
OPSEC Warning: Easily detectable due to behavior and logging. Avoid on mature/monitored environments.
If lsass.exe
is a Protected Process (PPL)
lsass.exe
is a Protected Process (PPL)In some environments, lsass
runs with Protected Process Light (PPL). You can still inject Skeleton Key using the Mimikatz driver:
This involves kernel-mode driver loading (mimidriv.sys
) and is very noisy—triggers EDR alerts and logging.
Last updated