T1556.001 Splunk · SPL

Detect Domain Controller Authentication in Splunk

Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.001 Domain Controller Authentication
Canonical reference
https://attack.mitre.org/techniques/T1556/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
  TargetImage="*\\lsass.exe"
  NOT (SourceImage="*\\MsMpEng.exe" OR SourceImage="*\\csrss.exe" OR SourceImage="*\\werfault.exe"
    OR SourceImage="*\\taskmgr.exe" OR SourceImage="*\\services.exe" OR SourceImage="*\\lsm.exe"
    OR SourceImage="*\\svchost.exe" OR SourceImage="*\\winlogon.exe" OR SourceImage="*\\wmiprvse.exe")
| eval HighPrivAccess=if(match(GrantedAccess, "^0x1[f3][0-9a-f]{4}$"), 1, 0)
| eval SkeletonKeyTool=if(match(lower(SourceImage), "(mimikatz|skeleton)"), 1, 0)
| where HighPrivAccess=1 OR SkeletonKeyTool=1
| eval RiskScore=HighPrivAccess + SkeletonKeyTool
| table _time, host, SourceImage, SourceCommandLine, TargetImage, GrantedAccess, SourceUser, RiskScore
| sort - _time
| union
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (CommandLine="*misc::skeleton*" OR CommandLine="*skeleton key*" OR CommandLine="*SkeletonKey*")
  | table _time, host, Image, CommandLine, User]
critical severity high confidence

Detects Skeleton Key domain controller backdoor injection using Sysmon Event ID 10 (Process Access) targeting lsass.exe from unexpected source processes with high-privilege access masks, combined with Sysmon Event ID 1 (Process Create) for known Skeleton Key tool command-line patterns. The union combines both detection approaches into a single alert stream.

Data Sources

Process: Process AccessProcess: Process CreationSysmon Event ID 10Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • EDR agents accessing LSASS for memory scanning — build allowlist of known EDR process paths
  • WerFault.exe during system crash dump creation — correlate with System Event Log crash events
  • Task Manager used by administrators to view LSASS memory on non-DC systems
  • Vulnerability scanners performing privilege assessment against LSASS
Download portable Sigma rule (.yml)

Other platforms for T1556.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Skeleton Key Injection (Simulated — Non-DC)

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'misc::skeleton'. Security Event ID 4688 with ProcessCommandLine=mimikatz.exe. If run with sufficient privilege, Sysmon Event ID 10 will show lsass.exe being accessed with high privilege mask.

  2. Test 2Suspicious LSASS Access via ProcDump

    Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file. Security Event ID 4688 for procdump.exe process creation.

  3. Test 3LSASS Access via Task Manager (Low-Fidelity Baseline Test)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Get-Process lsass in CommandLine. PowerShell ScriptBlock Log Event ID 4104 with the script content. Security Event ID 4688 for powershell.exe.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1556.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1055Process InjectionT1003.001LSASS MemoryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1207Rogue Domain Controller

Same Tactic: Credential Access

Popular Detections