DET0271 Detect Domain Controller Authentication Process Modification (Skeleton Key)

Item	Value
ID	DET0271
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1556.001 (Domain Controller Authentication)

Analytics

Windows

AN0757

Detects anomalous process access to LSASS on domain controllers, suspicious module loads of authentication DLLs, and registry or file modifications indicative of Skeleton Key–style patching. Correlates LSASS access attempts with subsequent abnormal logon activity patterns.

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
File Modification (DC0061)	WinEventLog:System	Unexpected modification to lsass.exe or cryptdll.dll

Mutable Elements

Field	Description
MonitoredDLLs	Specific authentication DLLs such as cryptdll.dll and samsrv.dll monitored for tampering.
TimeWindow	Correlation window between LSASS memory access, module load, and suspicious logons.
UserContext	Baseline expected accounts performing domain controller logon operations.