Skeleton Key: the master password that lives only in DC memory

Skeleton Key is what an attacker who already owns Domain Admin does to stay in stealthily. They patch the authentication path inside the LSASS process on domain controllers so a single master password authenticates as any user, while every real password keeps working.

How the attack works

A privileged action on a domain controller opens a handle to the LSASS process with inject rights. The attacker patches the in-memory authentication path so LSASS accepts a master password in addition to each user’s real password, and nothing is written to disk. Several accounts then authenticate from one source while their real passwords also still work, often with a downgraded or unusual encryption type, and the attacker logs on as different privileged users at will. Users notice nothing. In ATT&CK terms this is T1556, Modify Authentication Process, with T1003, OS Credential Dumping. The tell is suspicious LSASS process access on a domain controller plus one source authenticating as many users whose real passwords still work.

Why it works

The master password is added in memory and bypasses the normal credential check, so resetting passwords changes nothing while the patch is loaded. The real passwords still working is exactly what makes it stealthy.

How to fix it

Because the patch is memory-resident, the non-obvious containment is to isolate and reboot the affected domain controllers to evict it. Then run LSASS as a protected process so re-injection is much harder, remove the Domain Admin access path that allowed the injection, and monitor LSASS process access. Since the attacker already held Domain Admin, treat the domain as fully compromised: rotate KRBTGT twice and reset privileged and service credentials.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse the LSASS-injection detection and the reboot-to-evict containment.