Detect Domain Controller Authentication in CrowdStrike LogScale
Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.001 Domain Controller Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1556/001/
LogScale Detection Query
#event_simpleName in ["OpenProcessApiCall", "ProcessRollup2"]
| (
(#event_simpleName = "OpenProcessApiCall"
and TargetImageFileName = /(?i)\\lsass\.exe$/
and GrantedAccess = /^(0x1fffff|0x1f3fff|0x143a|0x1010|0x143A)$/i
and not ImageFileName = /(?i)\\(MsMpEng|csrss|werfault|taskmgr|services|lsm|svchost|winlogon|wmiprvse)\.exe$/)
or
(#event_simpleName = "ProcessRollup2"
and CommandLine = /(?i)(misc::skeleton|skeleton\.key|SkeletonKey|sekurlsa::pth|lsadump::lsa|mimikatz)/)
)
| DetectionType := if(#event_simpleName = "OpenProcessApiCall",
"LSASS High Privilege Access", "Skeleton Key Tool Execution")
| table(
[_time, ComputerName, UserName, ImageFileName, CommandLine,
TargetImageFileName, GrantedAccess, DetectionType],
limit=200)
| sort(_time, order=desc)Detects Skeleton Key LSASS injection in CrowdStrike LogScale using OpenProcessApiCall events with high-privilege GrantedAccess masks against lsass.exe and ProcessRollup2 events with known Mimikatz/Skeleton Key command-line patterns. Labels each match by detection type for analyst triage. Requires Falcon sensor with enhanced process access event collection enabled in the sensor policy; OpenProcessApiCall visibility may need to be explicitly enabled under Process Activity settings.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor processes (CSFalconService.exe, CSAgent.exe) may generate OpenProcessApiCall events against LSASS during in-memory scanning; these are typically suppressed at the sensor level but may surface in raw LogScale queries — inspect ImageFileName values over the first 24h and add additional not-conditions if needed.
- GrantedAccess regex matching is case-sensitive by default in LogScale; the /i flag handles hex case variation (0x143A vs 0x143a) but verify your Falcon sensor firmware reports access masks in a consistent format before relying on the IN-style regex.
- ProcessRollup2 events matching the mimikatz pattern may fire on security awareness training files or red team tool archives where mimikatz appears in a file path rather than an active command line; validate with ParentBaseFileName and UserName context before escalating to an incident.
Other platforms for T1556.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz Skeleton Key Injection (Simulated — Non-DC)
Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'misc::skeleton'. Security Event ID 4688 with ProcessCommandLine=mimikatz.exe. If run with sufficient privilege, Sysmon Event ID 10 will show lsass.exe being accessed with high privilege mask.
- Test 2Suspicious LSASS Access via ProcDump
Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file. Security Event ID 4688 for procdump.exe process creation.
- Test 3LSASS Access via Task Manager (Low-Fidelity Baseline Test)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Get-Process lsass in CommandLine. PowerShell ScriptBlock Log Event ID 4104 with the script content. Security Event ID 4688 for powershell.exe.
References (7)
- https://attack.mitre.org/techniques/T1556/001/
- https://www.secureworks.com/research/skeleton-key-malware-analysis
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.001/T1556.001.md
- https://blog.gentilkiwi.com/securite/mimikatz/skeleton-key
- https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
- https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
Unlock Pro Content
Get the full detection package for T1556.001 including response playbook, investigation guide, and atomic red team tests.