Modify Authentication Process: Domain Controller Authentication

Created the Friday 10 February 2023. Updated 7 months, 3 weeks ago.

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.

Technique Identifier

T1556.001

Technique Tags

Credential Access Defense Evasion Persistence bypass authentication mechanisms inject false credentials Skeleton key LSASS domain authentication NTLM authentication enterprise domain controller authentication

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Modify Authentication Process: Domain Controller Authentication, Sub-technique T1556.001 - Enterprise | MITRE ATT&CK®