T1556.001 Domain Controller Authentication Mappings

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-02 Account Management Protects T1556.001 Domain Controller Authentication
AC-20 Use of External Systems Protects T1556.001 Domain Controller Authentication
AC-03 Access Enforcement Protects T1556.001 Domain Controller Authentication
AC-05 Separation of Duties Protects T1556.001 Domain Controller Authentication
AC-06 Least Privilege Protects T1556.001 Domain Controller Authentication
AC-07 Unsuccessful Logon Attempts Protects T1556.001 Domain Controller Authentication
CA-07 Continuous Monitoring Protects T1556.001 Domain Controller Authentication
CM-05 Access Restrictions for Change Protects T1556.001 Domain Controller Authentication
CM-06 Configuration Settings Protects T1556.001 Domain Controller Authentication
IA-02 Identification and Authentication (organizational Users) Protects T1556.001 Domain Controller Authentication
IA-05 Authenticator Management Protects T1556.001 Domain Controller Authentication
SC-39 Process Isolation Protects T1556.001 Domain Controller Authentication
SI-04 System Monitoring Protects T1556.001 Domain Controller Authentication
SI-07 Software, Firmware, and Information Integrity Protects T1556.001 Domain Controller Authentication

M365 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DEF-SECA-E3 Security Alerts Technique Scores T1556.001 Domain Controller Authentication
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
References