T1556.001 IBM QRadar · QRadar

Detect Domain Controller Authentication in IBM QRadar

Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.001 Domain Controller Authentication
Canonical reference
https://attack.mitre.org/techniques/T1556/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS SourceUser,
  "SourceImage",
  "TargetImage",
  "GrantedAccess",
  "CommandLine",
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND (
    (
      "eventid" = '10'
      AND "TargetImage" ILIKE '%\lsass.exe'
      AND "SourceImage" NOT ILIKE '%\MsMpEng.exe'
      AND "SourceImage" NOT ILIKE '%\csrss.exe'
      AND "SourceImage" NOT ILIKE '%\werfault.exe'
      AND "SourceImage" NOT ILIKE '%\taskmgr.exe'
      AND "SourceImage" NOT ILIKE '%\services.exe'
      AND "SourceImage" NOT ILIKE '%\lsm.exe'
      AND "SourceImage" NOT ILIKE '%\svchost.exe'
      AND "SourceImage" NOT ILIKE '%\winlogon.exe'
      AND "GrantedAccess" IN ('0x1fffff', '0x1f3fff', '0x143a', '0x1010', '0x143A')
    )
    OR
    (
      "eventid" = '1'
      AND (
        LOWER("CommandLine") ILIKE '%misc::skeleton%'
        OR LOWER("CommandLine") ILIKE '%skeleton key%'
        OR LOWER("CommandLine") ILIKE '%skeletonkey%'
        OR LOWER("CommandLine") ILIKE '%mimikatz%'
        OR LOWER("CommandLine") ILIKE '%sekurlsa::pth%'
        OR LOWER("CommandLine") ILIKE '%lsadump::lsa%'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
critical severity high confidence

Detects Skeleton Key LSASS injection in IBM QRadar using AQL against Sysmon custom-extracted properties. Correlates Sysmon Event 10 (Process Access) with high-privilege GrantedAccess masks against lsass.exe excluding known-safe processes, and Event 1 (Process Create) with Mimikatz/Skeleton Key command-line strings. Requires QRadar DSM Editor custom properties configured to extract SourceImage, TargetImage, GrantedAccess, CommandLine, and eventid from Sysmon XML payloads.

Data Sources

IBM QRadar with Microsoft Sysmon DSMWindows Event Forwarding (WEF) to QRadar

Required Tables

events

False Positives & Tuning

  • Custom property extraction for TargetImage and GrantedAccess in the QRadar DSM Editor may be inconsistent across different Sysmon schema versions; validate extraction rules against known LSASS accesses in a test environment before production deployment.
  • Third-party security scanning products not in the NOT ILIKE exclusion list may generate high-volume false positives; run SELECT SourceImage, COUNT(*) FROM events WHERE TargetImage ILIKE '%\lsass.exe' GROUP BY SourceImage ORDER BY 2 DESC LAST 7 DAYS to inventory legitimate accessors before tuning.
  • Inconsistent Sysmon deployment across domain controllers causes false negatives rather than false positives; verify Sysmon is deployed and forwarding on all DCs before treating alert absence as a safety signal.
Download portable Sigma rule (.yml)

Other platforms for T1556.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Skeleton Key Injection (Simulated — Non-DC)

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'misc::skeleton'. Security Event ID 4688 with ProcessCommandLine=mimikatz.exe. If run with sufficient privilege, Sysmon Event ID 10 will show lsass.exe being accessed with high privilege mask.

  2. Test 2Suspicious LSASS Access via ProcDump

    Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file. Security Event ID 4688 for procdump.exe process creation.

  3. Test 3LSASS Access via Task Manager (Low-Fidelity Baseline Test)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Get-Process lsass in CommandLine. PowerShell ScriptBlock Log Event ID 4104 with the script content. Security Event ID 4688 for powershell.exe.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1556.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1055Process InjectionT1003.001LSASS MemoryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1207Rogue Domain Controller

Same Tactic: Credential Access

Popular Detections