Skip to main content
Support

Skeleton Key Installation

Master Password Backdoor on Domain Controller

Inject a Skeleton Key into the Domain Controller's LSASS process to create a master password that authenticates as any user — while existing passwords continue to work normally.

Advanced~5 minT1556.001
Prerequisites:Domain Admin rightsAccess to Domain ControllerMimikatz
1

Gain Domain Admin Access to DC

Skeleton Key Installation — Step 1/3
PS C:\Tools>

Click or press Enter to skip

Step 1: Gain Access to the DC

Establish a remote PowerShell session on the Domain Controller using Domain Admin credentials. The Skeleton Key attack must be run directly on the DC because it patches the LSASS process in memory.

We are logging into the Domain Controller itself as a Domain Admin. We need to be ON the DC because the backdoor we are about to install lives in the DC's memory.

Detection Events
7045New service installed on DC
Attack Flow
PSRemoting as DA
Attacker(Domain Admin)
DC01(Target)
LSASSProcess
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org