Skeleton Key

OPSEC: The Skeleton Key method is considered highly OPSEC-risky due to direct interaction with the DC and the potential for detection in memory or logs.

The Skeleton Key attack allows an attacker to patch the LSASS process on a Domain Controller to accept a single hardcoded "master password" for all domain users. With this backdoor in place, the attacker can authenticate as any user — including privileged accounts — without modifying actual credentials in Active Directory.

Executing this attack requires Domain Admin privileges and direct code injection into LSASS. It is not persistent across reboots and is known to interfere with services like Active Directory Certificate Services (AD CS), potentially causing instability.

# The default password is mimikatz
.\SafetyKatz.exe '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcop.moneycorp.local

If LSASS is running as a Protected Process Light (PPL) — which is common in hardened environments — standard Skeleton Key injection will fail. In such cases, the attack can still be performed using the Mimikatz driver (mimidriv.sys), which must be placed on disk and loaded on the target DC:

.\mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "misc::skeleton" "!-"

This approach temporarily disables protection on LSASS to allow patching, but it is extremely noisy, involving kernel-mode driver installation, which is likely to trigger alerts in modern EDRs and logging systems.