MITRE ATT&CK Technique
Description
Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-11T19:05:02.399Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may patch the authentication process on a domain '
'controller to bypass the typical authentication mechanisms '
'and enable access to accounts. \n'
'\n'
'Malware may be used to inject false credentials into the '
'authentication process on a domain controller with the intent '
'of creating a backdoor used to access any user’s account '
'and/or credentials (ex: [Skeleton '
'Key](https://attack.mitre.org/software/S0007)). Skeleton key '
'works through a patch on an enterprise domain controller '
'authentication process (LSASS) with credentials that '
'adversaries may use to bypass the standard authentication '
'system. Once patched, an adversary can use the injected '
'password to successfully authenticate as any domain user '
'account (until the the skeleton key is erased from memory by '
'a reboot of the domain controller). Authenticated access may '
'enable unfettered access to hosts and/or resources within '
'single-factor authentication environments.(Citation: Dell '
'Skeleton)',
'external_references': [{'external_id': 'T1556.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1556/001'},
{'description': 'Dell SecureWorks. (2015, January '
'12). Skeleton Key Malware Analysis. '
'Retrieved April 8, 2019.',
'source_name': 'Dell Skeleton',
'url': 'https://www.secureworks.com/research/skeleton-key-malware-analysis'},
{'description': 'Microsoft. (2016, April 15). Audit '
'Policy Recommendations. Retrieved '
'June 3, 2016.',
'source_name': 'TechNet Audit Policy',
'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'}],
'id': 'attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:27.324Z',
'name': 'Domain Controller Authentication',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '2.1'}