Malware “patches” the LSASS authentication process in-memory on domain controllers to enable a second valid “skeleton key” password that can be used to authenticate any domain account.