Detect Domain Controller Authentication in Google Chronicle
Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.001 Domain Controller Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1556/001/
YARA-L Detection Query
rule skeleton_key_lsass_high_privilege_access {
meta:
author = "Argus Detection Engineering"
description = "Detects high-privilege PROCESS_OPEN against lsass.exe consistent with Skeleton Key injection"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1556.001"
severity = "CRITICAL"
confidence = "HIGH"
created = "2026-04-13"
events:
$e.metadata.event_type = "PROCESS_OPEN"
re.regex($e.target.process.file.full_path, `(?i)\\lsass\.exe$`)
not re.regex($e.principal.process.file.full_path, `(?i)\\(MsMpEng|csrss|werfault|taskmgr|services|lsm|svchost|winlogon|wmiprvse)\.exe$`)
(
$e.additional.fields["GrantedAccess"] = "0x1fffff" or
$e.additional.fields["GrantedAccess"] = "0x1f3fff" or
$e.additional.fields["GrantedAccess"] = "0x143a" or
$e.additional.fields["GrantedAccess"] = "0x1010" or
$e.additional.fields["GrantedAccess"] = "0x143A"
)
condition:
$e
}
rule skeleton_key_tool_execution {
meta:
author = "Argus Detection Engineering"
description = "Detects process launch with Mimikatz or Skeleton Key command-line arguments"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1556.001"
severity = "CRITICAL"
confidence = "HIGH"
created = "2026-04-13"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.target.process.command_line, `(?i)(misc::skeleton|skeleton.key|SkeletonKey|sekurlsa::pth|lsadump::lsa|mimikatz)`)
condition:
$e
}Two Chronicle YARA-L 2.0 rules for T1556.001. Rule 1 (skeleton_key_lsass_high_privilege_access) matches PROCESS_OPEN UDM events targeting lsass.exe with high-privilege GrantedAccess values stored in additional.fields, excluding known-safe system processes. Rule 2 (skeleton_key_tool_execution) catches PROCESS_LAUNCH events with Mimikatz or Skeleton Key CLI patterns. Both require Sysmon data ingested via Chronicle Windows forwarder with UDM field mapping for PROCESS_OPEN and PROCESS_LAUNCH event types.
Data Sources
Required Tables
False Positives & Tuning
- Chronicle UDM parser population of additional.fields['GrantedAccess'] from Sysmon Event 10 depends on parser version; validate with a test PROCESS_OPEN query against known-benign LSASS accesses before deploying rule 1 in production alerting.
- Security tools performing routine in-memory scanning not covered by the negative regex will generate false positives on rule 1; review principal.process.file.full_path distribution against lsass.exe PROCESS_OPEN events in your Chronicle environment and expand the exclusion alternation accordingly.
- Rule 2 fires on any host executing Mimikatz, not only domain controllers; add a condition matching target.hostname against a reference list of DC naming patterns if DC-scoped detection is required to reduce analyst workload.
Other platforms for T1556.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz Skeleton Key Injection (Simulated — Non-DC)
Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'misc::skeleton'. Security Event ID 4688 with ProcessCommandLine=mimikatz.exe. If run with sufficient privilege, Sysmon Event ID 10 will show lsass.exe being accessed with high privilege mask.
- Test 2Suspicious LSASS Access via ProcDump
Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file. Security Event ID 4688 for procdump.exe process creation.
- Test 3LSASS Access via Task Manager (Low-Fidelity Baseline Test)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Get-Process lsass in CommandLine. PowerShell ScriptBlock Log Event ID 4104 with the script content. Security Event ID 4688 for powershell.exe.
References (7)
- https://attack.mitre.org/techniques/T1556/001/
- https://www.secureworks.com/research/skeleton-key-malware-analysis
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.001/T1556.001.md
- https://blog.gentilkiwi.com/securite/mimikatz/skeleton-key
- https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
- https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
Unlock Pro Content
Get the full detection package for T1556.001 including response playbook, investigation guide, and atomic red team tests.