T1556.001 Microsoft Sentinel · KQL

Detect Domain Controller Authentication in Microsoft Sentinel

Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.001 Domain Controller Authentication
Canonical reference
https://attack.mitre.org/techniques/T1556/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SkeletonKeyIndicators = dynamic([
  "SkeletonKey", "skeleton key", "mimikatz", "misc::skeleton",
  "sekurlsa::pth", "lsadump::lsa"
]);
let SuspiciousLSASSAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessAccessed"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "MsMpEng.exe", "csrss.exe", "werfault.exe", "taskmgr.exe",
    "services.exe", "lsm.exe", "svchost.exe", "winlogon.exe"
  )
| where InitiatingProcessGrantedAccessMask has_any ("0x1fffff", "0x1f3fff", "0x143a", "0x1010")
| project Timestamp, DeviceName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessAccountName,
          GrantedAccess = InitiatingProcessGrantedAccessMask;
let DCProcessEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SkeletonKeyIndicators)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union SuspiciousLSASSAccess, DCProcessEvents
| sort by Timestamp desc
critical severity high confidence

Detects Skeleton Key-style domain controller authentication backdoor activity by monitoring for suspicious LSASS process access from unexpected processes (Sysmon Event ID 10 equivalent via DeviceEvents) and command-line indicators of Mimikatz skeleton key injection. Checks for high-privilege access masks targeting LSASS from non-system processes on domain controllers.

Data Sources

Process: Process AccessProcess: Process CreationMicrosoft Defender for Endpoint DeviceEvents

Required Tables

DeviceEventsDeviceProcessEvents

False Positives & Tuning

  • Legitimate endpoint detection and response (EDR) agents that access LSASS for memory scanning (e.g., CrowdStrike Falcon, Carbon Black) — verify via InitiatingProcessFileName allowlist
  • Windows Error Reporting (WerFault.exe) creating LSASS dumps for debugging — check for corresponding WER entries in Event Log
  • System Center Configuration Manager (SCCM) or Tanium performing inventory scans that briefly touch LSASS
  • Antivirus or HIPS software performing process inspection during signature updates
Download portable Sigma rule (.yml)

Other platforms for T1556.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Skeleton Key Injection (Simulated — Non-DC)

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'misc::skeleton'. Security Event ID 4688 with ProcessCommandLine=mimikatz.exe. If run with sufficient privilege, Sysmon Event ID 10 will show lsass.exe being accessed with high privilege mask.

  2. Test 2Suspicious LSASS Access via ProcDump

    Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file. Security Event ID 4688 for procdump.exe process creation.

  3. Test 3LSASS Access via Task Manager (Low-Fidelity Baseline Test)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Get-Process lsass in CommandLine. PowerShell ScriptBlock Log Event ID 4104 with the script content. Security Event ID 4688 for powershell.exe.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1556.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1055Process InjectionT1003.001LSASS MemoryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1207Rogue Domain Controller

Same Tactic: Credential Access

Popular Detections