title: Domain Controller Authentication (T1556.001)
id: df00tech-t1556-001
status: experimental
description: "Adversaries may patch the authentication process on a domain controller to bypass typical authentication mechanisms and enable access to accounts. Malware such as Skeleton Key is injected into LSASS on a domain controller, allowing any user to authenticate with a hardcoded backdoor password. The patch persists only in memory and is erased upon reboot, making detection during active exploitation critical. Chimera group has used this technique to allow login without valid credentials."
references:
  - https://attack.mitre.org/techniques/T1556/001/
  - https://df00tech.com/detections/T1556.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate endpoint detection and response (EDR) agents that access LSASS for memory scanning (e.g., CrowdStrike Falcon, Carbon Black) — verify via InitiatingProcessFileName allowlist"
  - Windows Error Reporting (WerFault.exe) creating LSASS dumps for debugging — check for corresponding WER entries in Event Log
  - System Center Configuration Manager (SCCM) or Tanium performing inventory scans that briefly touch LSASS
  - Antivirus or HIPS software performing process inspection during signature updates
level: critical