T1556.001 Elastic Security · Elastic

Detect Domain Controller Authentication in Elastic Security

Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.001 Domain Controller Authentication
Canonical reference
https://attack.mitre.org/techniques/T1556/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.code == "10" and
    winlog.event_data.TargetImage : "*\\lsass.exe" and
    not winlog.event_data.SourceImage : (
      "*\\MsMpEng.exe", "*\\csrss.exe", "*\\werfault.exe",
      "*\\taskmgr.exe", "*\\services.exe", "*\\lsm.exe",
      "*\\svchost.exe", "*\\winlogon.exe", "*\\wmiprvse.exe"
    ) and
    winlog.event_data.GrantedAccess : ("0x1fffff", "0x1f3fff", "0x143a", "0x1010", "0x143A")
  ) or
  (
    event.code == "1" and
    winlog.event_data.CommandLine : (
      "*misc::skeleton*", "*skeleton key*", "*SkeletonKey*",
      "*sekurlsa::pth*", "*lsadump::lsa*", "*mimikatz*"
    )
  )
critical severity high confidence

Detects Skeleton Key LSASS injection via Elastic EQL using Sysmon data ingested through Winlogbeat or Elastic Agent. Matches Sysmon Event 10 (Process Access) against lsass.exe with high-privilege GrantedAccess masks from non-whitelisted source processes, and Sysmon Event 1 (Process Create) with known Mimikatz or Skeleton Key command-line indicators. GrantedAccess 0x1fffff grants full process access; 0x1f3fff covers VM read/write; 0x143a and 0x1010 are common credential-dumping masks seen in Skeleton Key deployments.

Data Sources

Sysmon via WinlogbeatSysmon via Elastic Agent Windows integration

Required Tables

logs-windows.sysmon_operational-*winlogbeat-*logs-endpoint.events.process-*

False Positives & Tuning

  • EDR and AV engines such as CrowdStrike Falcon, SentinelOne, or Cylance access LSASS with high-privilege masks during memory scanning; verify exact executable paths of resident security products on DCs and add them to the NOT condition.
  • Authorized forensic tools such as Sysinternals ProcDump or WinPmem run by IR teams on domain controllers will match the Event 10 pattern; correlate against IR case numbers or maintenance windows before escalating.
  • Privileged identity management agents from CyberArk CPM or BeyondTrust that rotate managed account credentials via LSA may produce Event 10 matches; baseline their access patterns per DC host and add named exclusions after verification.
Download portable Sigma rule (.yml)

Other platforms for T1556.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Skeleton Key Injection (Simulated — Non-DC)

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'misc::skeleton'. Security Event ID 4688 with ProcessCommandLine=mimikatz.exe. If run with sufficient privilege, Sysmon Event ID 10 will show lsass.exe being accessed with high privilege mask.

  2. Test 2Suspicious LSASS Access via ProcDump

    Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file. Security Event ID 4688 for procdump.exe process creation.

  3. Test 3LSASS Access via Task Manager (Low-Fidelity Baseline Test)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Get-Process lsass in CommandLine. PowerShell ScriptBlock Log Event ID 4104 with the script content. Security Event ID 4688 for powershell.exe.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1556.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1055Process InjectionT1003.001LSASS MemoryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1207Rogue Domain Controller

Same Tactic: Credential Access

Popular Detections