Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify domain controller authentication mechanisms.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1556.001 | Domain Controller Authentication | |
| attribute.integrity.variety.Modify privileges | Modified privileges or permissions | related-to | T1556.001 | Domain Controller Authentication |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1556.001 | Domain Controller Authentication |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
References
|