# Skeleton Keys The Skeleton Key malware "patches" the security system enabling a new master password to be accepted for any domain user, including admins. This enables the attacker to logon as any user they want with the master password (skeleton key) configured in the malware. "Joe User" logs in using his usual password with no changes to his account. The attacker can log in as Joe using the skeleton key password and it is seen as a valid logon. **Attack** In order to perpetrate this attack, the attacker must have Domain Admin rights. This attack must be performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective. Rebooting a domain controller will remove this malware and it will have to be redeployed by the attacker. To start the attack we can simply use mimkatz as it has this technique available a few command lines and we can reach our goal ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MWuKhOo68FH3uF6rWDj%2F-MWuKjGRd6N9wTL2-E-9%2Fimage.png?alt=media\&token=4ae9a406-7d84-41c7-b3ef-d7c63ec5fa15) Now we can access anywhere on our Domain with the default password "mimikatz" and we can authenticate utilizing any of the Domain Admins available in the Domain. **This will work for any user not just Domain Admins, this is a Master Password for everyone.** ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MWuKhOo68FH3uF6rWDj%2F-MWuKkFMUZ_0Z04LkpNO%2Fimage.png?alt=media\&token=0ba26f5d-cb0a-4dd7-b6a4-eea1dfd29c5e) We do have to take in consideration that this technique will stop working when the DC is rebooted, as this will patch the "lsass.exe" in memory and once rebooted this will stop. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/skeleton-keys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.