T1556.001 Sumo Logic CSE · Sumo

Detect Domain Controller Authentication in Sumo Logic CSE

Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.001 Domain Controller Authentication
Canonical reference
https://attack.mitre.org/techniques/T1556/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/sysmon" (EventID=10 OR EventID=1)
| parse regex "EventID=(?P<EventID>\d+)" nodrop
| parse regex "TargetImage=(?P<TargetImage>[^\r\n]+)" nodrop
| parse regex "SourceImage=(?P<SourceImage>[^\r\n]+)" nodrop
| parse regex "GrantedAccess=(?P<GrantedAccess>[^\r\n]+)" nodrop
| parse regex "CommandLine=(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "Computer=(?P<Computer>[^\r\n]+)" nodrop
| where (
    EventID = "10"
    and TargetImage matches "*\lsass.exe"
    and GrantedAccess in ("0x1fffff", "0x1f3fff", "0x143a", "0x1010", "0x143A")
    and !(SourceImage matches "*\MsMpEng.exe"
      or SourceImage matches "*\csrss.exe"
      or SourceImage matches "*\werfault.exe"
      or SourceImage matches "*\taskmgr.exe"
      or SourceImage matches "*\services.exe"
      or SourceImage matches "*\lsm.exe"
      or SourceImage matches "*\svchost.exe"
      or SourceImage matches "*\winlogon.exe")
  )
  or (
    EventID = "1"
    and (
      CommandLine matches "*misc::skeleton*"
      or CommandLine matches "*skeleton key*"
      or CommandLine matches "*SkeletonKey*"
      or CommandLine matches "*mimikatz*"
      or CommandLine matches "*sekurlsa::pth*"
      or CommandLine matches "*lsadump::lsa*"
    )
  )
| fields _messageTime, Computer, EventID, SourceImage, TargetImage, GrantedAccess, CommandLine
| sort by _messageTime desc
critical severity high confidence

Detects Skeleton Key LSASS injection in Sumo Logic by parsing Sysmon XML event data via nodrop regex extraction. Filters on high-privilege GrantedAccess masks against lsass.exe for EventID 10 and known Mimikatz/Skeleton Key command-line indicators for EventID 1. Adjust _sourceCategory to match your Sysmon ingestion path. For Sumo Logic Cloud SIEM Enterprise, replace parse regex blocks with normalized schema fields (device_process_name, commandLine).

Data Sources

Sumo Logic Windows Agent with SysmonWindows Event Forwarding to Sumo Logic HTTP Source

Required Tables

Sysmon Windows event logs (_sourceCategory=windows/sysmon)

False Positives & Tuning

  • Regex parsing with nodrop may leave SourceImage or TargetImage empty for events with unexpected Sysmon XML formatting; audit parse coverage with a count by EventID query before relying on this detection in production.
  • Sumo Logic Cloud SIEM Enterprise uses a normalized schema with different field names than raw log parsing; if using CSE, replace regex-parsed field references with normalized equivalents such as device_process_name and commandLine.
  • IT operations tools invoking WMI or COM-based remote management may access LSASS indirectly through processes not covered by the exclusion list; check for additional WMI worker process names beyond wmiprvse.exe in your environment.
Download portable Sigma rule (.yml)

Other platforms for T1556.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Skeleton Key Injection (Simulated — Non-DC)

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'misc::skeleton'. Security Event ID 4688 with ProcessCommandLine=mimikatz.exe. If run with sufficient privilege, Sysmon Event ID 10 will show lsass.exe being accessed with high privilege mask.

  2. Test 2Suspicious LSASS Access via ProcDump

    Expected signal: Sysmon Event ID 10: ProcessAccess with TargetImage=lsass.exe, SourceImage=procdump.exe, GrantedAccess=0x1fffff. Sysmon Event ID 11: FileCreate for the .dmp file. Security Event ID 4688 for procdump.exe process creation.

  3. Test 3LSASS Access via Task Manager (Low-Fidelity Baseline Test)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Get-Process lsass in CommandLine. PowerShell ScriptBlock Log Event ID 4104 with the script content. Security Event ID 4688 for powershell.exe.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1556.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1055Process InjectionT1003.001LSASS MemoryT1078.002Domain AccountsT1021.002SMB/Windows Admin SharesT1550.002Pass the HashT1207Rogue Domain Controller

Same Tactic: Credential Access

Popular Detections