T1556.001 Domain Controller Authentication Mappings

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1556.001 Domain Controller Authentication
AC-20 Use of External Systems Protects T1556.001 Domain Controller Authentication
AC-3 Access Enforcement Protects T1556.001 Domain Controller Authentication
AC-5 Separation of Duties Protects T1556.001 Domain Controller Authentication
AC-6 Least Privilege Protects T1556.001 Domain Controller Authentication
AC-7 Unsuccessful Logon Attempts Protects T1556.001 Domain Controller Authentication
CA-7 Continuous Monitoring Protects T1556.001 Domain Controller Authentication
CM-5 Access Restrictions for Change Protects T1556.001 Domain Controller Authentication
CM-6 Configuration Settings Protects T1556.001 Domain Controller Authentication
IA-2 Identification and Authentication (organizational Users) Protects T1556.001 Domain Controller Authentication
IA-5 Authenticator Management Protects T1556.001 Domain Controller Authentication
SC-39 Process Isolation Protects T1556.001 Domain Controller Authentication
SI-4 System Monitoring Protects T1556.001 Domain Controller Authentication
SI-7 Software, Firmware, and Information Integrity Protects T1556.001 Domain Controller Authentication
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.001 Modify Authentication Process: Domain Controller Authentication
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.001 Modify Authentication Process: Domain Controller Authentication