AN0757: Analytic 0757

Detects anomalous process access to LSASS on domain controllers, suspicious module loads of authentication DLLs, and registry or file modifications indicative of Skeleton Key–style patching. Correlates LSASS access attempts with subsequent abnormal logon activity patterns.

EnterpriseAN0757AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN0757 is a Windows detection analytic focused on signs that LSASS on domain controllers may be accessed or modified in ways consistent with Skeleton Key–style authentication patching. For leaders, the value is not just malware detection; it is assurance that the organization can notice tampering with core identity infrastructure before abnormal authentication becomes a business-continuity or incident-response crisis.

Executive priority

Prioritize this analytic where Windows domain controllers remain critical to authentication, privileged access, and operational continuity. Executives should ask whether SOC and IR teams can prove they collect and correlate LSASS access, authentication-related module loads, registry or file changes, and unusual logon patterns on domain controllers. This supports identity resilience, audit evidence for monitoring of privileged infrastructure, and faster decision-making during suspected domain compromise.

Technical view

The supplied ATT&CK description points to correlation across several evidence types: anomalous process access to LSASS on domain controllers, suspicious loading of authentication DLLs, registry or file modifications associated with Skeleton Key–style patching, and follow-on abnormal logon activity. SOC teams should validate that domain controller telemetry is collected with enough fidelity to identify process-to-LSASS access, module loads involving authentication components, sensitive registry and file changes, and logon pattern anomalies. Because no official detection logic or ATT&CK tactic mapping is provided, local baselining and environment-specific tuning are required.

Likely telemetry

Windows process access events involving LSASS on domain controllers
Module load telemetry for authentication-related DLLs
Registry modification events on domain controllers
File modification events affecting authentication-related components
Windows logon and authentication events from domain controllers

Detection direction

Validate that LSASS access monitoring is enabled and retained on domain controllers, not only on workstations or member servers.
Baseline legitimate administrative, security tooling, backup, and EDR interactions with LSASS to reduce false positives.
Correlate suspicious LSASS access with authentication DLL module loads and registry or file modifications rather than treating each signal in isolation.
Review abnormal logon patterns following suspicious LSASS-related activity, especially changes that could indicate authentication behavior has been altered.
Confirm alert routing and escalation paths for domain controller identity-tampering signals, since delayed triage can materially affect incident containment.

Mitigation priorities

Harden and closely monitor Windows domain controllers as high-value identity assets.
Limit administrative access to domain controllers and review which tools are permitted to interact with LSASS.
Ensure logging and endpoint telemetry policies cover LSASS access, module loads, registry changes, file changes, and authentication events on domain controllers.
Maintain incident-response procedures for suspected domain controller tampering, including evidence preservation and identity-containment decision points.
Use periodic control validation or detection engineering tests to confirm telemetry correlation still works after platform, policy, or tooling changes.

Analyst notes and limits

This analytic is most useful as an identity-infrastructure integrity check. The decision value comes from correlating endpoint behavior on domain controllers with authentication outcomes, rather than relying on a single event type. Managed detection and IR teams should treat confirmed suspicious LSASS access plus authentication component changes as requiring rapid identity-focused triage.

The supplied ATT&CK object provides a description but no official detection logic, no tactics, and no relationship context. This take is therefore limited to the stated Windows platform and the described LSASS, module load, registry/file modification, and logon-correlation themes. Local baselines, telemetry availability, and domain controller architecture are required to determine practical coverage and severity.

Official MITRE ATT&CK definition

Analytic 0757

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 71f2e754204c78f0...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`71f2e754204c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0757
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use