T1556.001 Domain Controller Authentication Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SkeletonKeyIndicators = dynamic([
  "SkeletonKey", "skeleton key", "mimikatz", "misc::skeleton",
  "sekurlsa::pth", "lsadump::lsa"
]);
let SuspiciousLSASSAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessAccessed"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "MsMpEng.exe", "csrss.exe", "werfault.exe", "taskmgr.exe",
    "services.exe", "lsm.exe", "svchost.exe", "winlogon.exe"
  )
| where InitiatingProcessGrantedAccessMask has_any ("0x1fffff", "0x1f3fff", "0x143a", "0x1010")
| project Timestamp, DeviceName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessAccountName,
          GrantedAccess = InitiatingProcessGrantedAccessMask;
let DCProcessEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SkeletonKeyIndicators)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union SuspiciousLSASSAccess, DCProcessEvents
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Access Process: Process Creation Microsoft Defender for Endpoint DeviceEvents

Required Tables

DeviceEvents DeviceProcessEvents

False Positives

Legitimate endpoint detection and response (EDR) agents that access LSASS for memory scanning (e.g., CrowdStrike Falcon, Carbon Black) — verify via InitiatingProcessFileName allowlist
Windows Error Reporting (WerFault.exe) creating LSASS dumps for debugging — check for corresponding WER entries in Event Log
System Center Configuration Manager (SCCM) or Tanium performing inventory scans that briefly touch LSASS
Antivirus or HIPS software performing process inspection during signature updates

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
  TargetImage="*\\lsass.exe"
  NOT (SourceImage="*\\MsMpEng.exe" OR SourceImage="*\\csrss.exe" OR SourceImage="*\\werfault.exe"
    OR SourceImage="*\\taskmgr.exe" OR SourceImage="*\\services.exe" OR SourceImage="*\\lsm.exe"
    OR SourceImage="*\\svchost.exe" OR SourceImage="*\\winlogon.exe" OR SourceImage="*\\wmiprvse.exe")
| eval HighPrivAccess=if(match(GrantedAccess, "^0x1[f3][0-9a-f]{4}$"), 1, 0)
| eval SkeletonKeyTool=if(match(lower(SourceImage), "(mimikatz|skeleton)"), 1, 0)
| where HighPrivAccess=1 OR SkeletonKeyTool=1
| eval RiskScore=HighPrivAccess + SkeletonKeyTool
| table _time, host, SourceImage, SourceCommandLine, TargetImage, GrantedAccess, SourceUser, RiskScore
| sort - _time
| union
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (CommandLine="*misc::skeleton*" OR CommandLine="*skeleton key*" OR CommandLine="*SkeletonKey*")
  | table _time, host, Image, CommandLine, User]

critical severity high confidence

Data Sources

Process: Process Access Process: Process Creation Sysmon Event ID 10 Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

EDR agents accessing LSASS for memory scanning — build allowlist of known EDR process paths
WerFault.exe during system crash dump creation — correlate with System Event Log crash events
Task Manager used by administrators to view LSASS memory on non-DC systems
Vulnerability scanners performing privilege assessment against LSASS

Elastic Security (EQL)

eql

any where
  (
    event.code == "10" and
    winlog.event_data.TargetImage : "*\\lsass.exe" and
    not winlog.event_data.SourceImage : (
      "*\\MsMpEng.exe", "*\\csrss.exe", "*\\werfault.exe",
      "*\\taskmgr.exe", "*\\services.exe", "*\\lsm.exe",
      "*\\svchost.exe", "*\\winlogon.exe", "*\\wmiprvse.exe"
    ) and
    winlog.event_data.GrantedAccess : ("0x1fffff", "0x1f3fff", "0x143a", "0x1010", "0x143A")
  ) or
  (
    event.code == "1" and
    winlog.event_data.CommandLine : (
      "*misc::skeleton*", "*skeleton key*", "*SkeletonKey*",
      "*sekurlsa::pth*", "*lsadump::lsa*", "*mimikatz*"
    )
  )

critical severity high confidence

Data Sources

Sysmon via Winlogbeat Sysmon via Elastic Agent Windows integration

Required Tables

logs-windows.sysmon_operational-* winlogbeat-* logs-endpoint.events.process-*

False Positives

EDR and AV engines such as CrowdStrike Falcon, SentinelOne, or Cylance access LSASS with high-privilege masks during memory scanning; verify exact executable paths of resident security products on DCs and add them to the NOT condition.
Authorized forensic tools such as Sysinternals ProcDump or WinPmem run by IR teams on domain controllers will match the Event 10 pattern; correlate against IR case numbers or maintenance windows before escalating.
Privileged identity management agents from CyberArk CPM or BeyondTrust that rotate managed account credentials via LSA may produce Event 10 matches; baseline their access patterns per DC host and add named exclusions after verification.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS SourceUser,
  "SourceImage",
  "TargetImage",
  "GrantedAccess",
  "CommandLine",
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND (
    (
      "eventid" = '10'
      AND "TargetImage" ILIKE '%\lsass.exe'
      AND "SourceImage" NOT ILIKE '%\MsMpEng.exe'
      AND "SourceImage" NOT ILIKE '%\csrss.exe'
      AND "SourceImage" NOT ILIKE '%\werfault.exe'
      AND "SourceImage" NOT ILIKE '%\taskmgr.exe'
      AND "SourceImage" NOT ILIKE '%\services.exe'
      AND "SourceImage" NOT ILIKE '%\lsm.exe'
      AND "SourceImage" NOT ILIKE '%\svchost.exe'
      AND "SourceImage" NOT ILIKE '%\winlogon.exe'
      AND "GrantedAccess" IN ('0x1fffff', '0x1f3fff', '0x143a', '0x1010', '0x143A')
    )
    OR
    (
      "eventid" = '1'
      AND (
        LOWER("CommandLine") ILIKE '%misc::skeleton%'
        OR LOWER("CommandLine") ILIKE '%skeleton key%'
        OR LOWER("CommandLine") ILIKE '%skeletonkey%'
        OR LOWER("CommandLine") ILIKE '%mimikatz%'
        OR LOWER("CommandLine") ILIKE '%sekurlsa::pth%'
        OR LOWER("CommandLine") ILIKE '%lsadump::lsa%'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

IBM QRadar with Microsoft Sysmon DSM Windows Event Forwarding (WEF) to QRadar

Required Tables

events

False Positives

Custom property extraction for TargetImage and GrantedAccess in the QRadar DSM Editor may be inconsistent across different Sysmon schema versions; validate extraction rules against known LSASS accesses in a test environment before production deployment.
Third-party security scanning products not in the NOT ILIKE exclusion list may generate high-volume false positives; run SELECT SourceImage, COUNT(*) FROM events WHERE TargetImage ILIKE '%\lsass.exe' GROUP BY SourceImage ORDER BY 2 DESC LAST 7 DAYS to inventory legitimate accessors before tuning.
Inconsistent Sysmon deployment across domain controllers causes false negatives rather than false positives; verify Sysmon is deployed and forwarding on all DCs before treating alert absence as a safety signal.

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" (EventID=10 OR EventID=1)
| parse regex "EventID=(?P<EventID>\d+)" nodrop
| parse regex "TargetImage=(?P<TargetImage>[^\r\n]+)" nodrop
| parse regex "SourceImage=(?P<SourceImage>[^\r\n]+)" nodrop
| parse regex "GrantedAccess=(?P<GrantedAccess>[^\r\n]+)" nodrop
| parse regex "CommandLine=(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "Computer=(?P<Computer>[^\r\n]+)" nodrop
| where (
    EventID = "10"
    and TargetImage matches "*\lsass.exe"
    and GrantedAccess in ("0x1fffff", "0x1f3fff", "0x143a", "0x1010", "0x143A")
    and !(SourceImage matches "*\MsMpEng.exe"
      or SourceImage matches "*\csrss.exe"
      or SourceImage matches "*\werfault.exe"
      or SourceImage matches "*\taskmgr.exe"
      or SourceImage matches "*\services.exe"
      or SourceImage matches "*\lsm.exe"
      or SourceImage matches "*\svchost.exe"
      or SourceImage matches "*\winlogon.exe")
  )
  or (
    EventID = "1"
    and (
      CommandLine matches "*misc::skeleton*"
      or CommandLine matches "*skeleton key*"
      or CommandLine matches "*SkeletonKey*"
      or CommandLine matches "*mimikatz*"
      or CommandLine matches "*sekurlsa::pth*"
      or CommandLine matches "*lsadump::lsa*"
    )
  )
| fields _messageTime, Computer, EventID, SourceImage, TargetImage, GrantedAccess, CommandLine
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Windows Agent with Sysmon Windows Event Forwarding to Sumo Logic HTTP Source

Required Tables

Sysmon Windows event logs (_sourceCategory=windows/sysmon)

False Positives

Regex parsing with nodrop may leave SourceImage or TargetImage empty for events with unexpected Sysmon XML formatting; audit parse coverage with a count by EventID query before relying on this detection in production.
Sumo Logic Cloud SIEM Enterprise uses a normalized schema with different field names than raw log parsing; if using CSE, replace regex-parsed field references with normalized equivalents such as device_process_name and commandLine.
IT operations tools invoking WMI or COM-based remote management may access LSASS indirectly through processes not covered by the exclusion list; check for additional WMI worker process names beyond wmiprvse.exe in your environment.

Google Chronicle / SecOps

yaral

rule skeleton_key_lsass_high_privilege_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects high-privilege PROCESS_OPEN against lsass.exe consistent with Skeleton Key injection"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.001"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    re.regex($e.target.process.file.full_path, `(?i)\\lsass\.exe$`)
    not re.regex($e.principal.process.file.full_path, `(?i)\\(MsMpEng|csrss|werfault|taskmgr|services|lsm|svchost|winlogon|wmiprvse)\.exe$`)
    (
      $e.additional.fields["GrantedAccess"] = "0x1fffff" or
      $e.additional.fields["GrantedAccess"] = "0x1f3fff" or
      $e.additional.fields["GrantedAccess"] = "0x143a" or
      $e.additional.fields["GrantedAccess"] = "0x1010" or
      $e.additional.fields["GrantedAccess"] = "0x143A"
    )

  condition:
    $e
}

rule skeleton_key_tool_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects process launch with Mimikatz or Skeleton Key command-line arguments"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.001"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.command_line, `(?i)(misc::skeleton|skeleton.key|SkeletonKey|sekurlsa::pth|lsadump::lsa|mimikatz)`)

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle with Sysmon UDM ingestion Chronicle Windows Event Forwarder

Required Tables

UDM events: PROCESS_OPEN, PROCESS_LAUNCH

False Positives

Chronicle UDM parser population of additional.fields['GrantedAccess'] from Sysmon Event 10 depends on parser version; validate with a test PROCESS_OPEN query against known-benign LSASS accesses before deploying rule 1 in production alerting.
Security tools performing routine in-memory scanning not covered by the negative regex will generate false positives on rule 1; review principal.process.file.full_path distribution against lsass.exe PROCESS_OPEN events in your Chronicle environment and expand the exclusion alternation accordingly.
Rule 2 fires on any host executing Mimikatz, not only domain controllers; add a condition matching target.hostname against a reference list of DC naming patterns if DC-scoped detection is required to reduce analyst workload.

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["OpenProcessApiCall", "ProcessRollup2"]
| (
    (#event_simpleName = "OpenProcessApiCall"
     and TargetImageFileName = /(?i)\\lsass\.exe$/
     and GrantedAccess = /^(0x1fffff|0x1f3fff|0x143a|0x1010|0x143A)$/i
     and not ImageFileName = /(?i)\\(MsMpEng|csrss|werfault|taskmgr|services|lsm|svchost|winlogon|wmiprvse)\.exe$/)
    or
    (#event_simpleName = "ProcessRollup2"
     and CommandLine = /(?i)(misc::skeleton|skeleton\.key|SkeletonKey|sekurlsa::pth|lsadump::lsa|mimikatz)/)
  )
| DetectionType := if(#event_simpleName = "OpenProcessApiCall",
    "LSASS High Privilege Access", "Skeleton Key Tool Execution")
| table(
    [_time, ComputerName, UserName, ImageFileName, CommandLine,
     TargetImageFileName, GrantedAccess, DetectionType],
    limit=200)
| sort(_time, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Sensor (Enhanced Process Access visibility) CrowdStrike LogScale (Humio)

Required Tables

OpenProcessApiCall ProcessRollup2

False Positives

CrowdStrike Falcon sensor processes (CSFalconService.exe, CSAgent.exe) may generate OpenProcessApiCall events against LSASS during in-memory scanning; these are typically suppressed at the sensor level but may surface in raw LogScale queries — inspect ImageFileName values over the first 24h and add additional not-conditions if needed.
GrantedAccess regex matching is case-sensitive by default in LogScale; the /i flag handles hex case variation (0x143A vs 0x143a) but verify your Falcon sensor firmware reports access masks in a consistent format before relying on the IN-style regex.
ProcessRollup2 events matching the mimikatz pattern may fire on security awareness training files or red team tool archives where mimikatz appears in a file path rather than an active command line; validate with ParentBaseFileName and UserName context before escalating to an incident.

Domain Controller Authentication

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections