Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0271: Detect Domain Controller Authentication Process Modification (Skeleton Key)

This detection strategy is tied to Skeleton Key-style modification of a domain controller authentication process. The business issue is not just malware on...

EnterpriseDET0271Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is tied to Skeleton Key-style modification of a domain controller authentication process. The business issue is not just malware on a server; it is the possibility that authentication itself has been altered so an adversary can bypass normal password validation and access user accounts. For leaders, this is a high-consequence identity resilience scenario because compromise of a domain controller can undermine trust in account activity, incident scoping, and audit evidence.

Executive priority

Prioritize this as an identity and incident-response readiness concern. The related ATT&CK technique is associated with defense impairment, persistence, and credential access on Windows domain controllers, so leaders should ask whether domain controllers have sufficient monitoring, change control, privileged access governance, and forensic readiness to prove whether authentication behavior has been altered. This also supports compliance and audit discussions around privileged system integrity and evidence retention.

Technical view

The supplied ATT&CK object provides no official description or detection logic, but it detects T1556.001 Domain Controller Authentication. SOC, detection engineering, and IR teams should validate visibility on Windows domain controllers for authentication behavior, security-relevant process and service changes, suspicious modification of authentication components, and anomalous account access patterns that could indicate authentication bypass. Because the behavior targets the domain controller authentication process, detections should be evaluated against domain-controller-specific baselines rather than generic endpoint noise.

Likely telemetry

  • Windows domain controller security event logs and authentication logs
  • Privileged account logon and account access activity from domain controllers
  • Process, service, module, or memory-integrity telemetry on domain controllers where available
  • File and configuration change evidence for authentication-related system components
  • Endpoint detection or forensic artifacts from domain controllers

Detection direction

  • Confirm that domain controller telemetry is collected centrally and retained long enough to support incident scoping.
  • Tune detections around authentication-process modification and abnormal authentication outcomes with domain-controller baselines to reduce false positives from legitimate maintenance or security tooling.
  • Correlate suspected authentication anomalies with privileged access, domain controller process changes, and recent administrative activity.
  • Treat gaps in domain controller EDR, event forwarding, or integrity monitoring as material blind spots because this behavior can affect the trustworthiness of authentication records.
  • Use the relationship to T1556.001 to map coverage against defense impairment, persistence, and credential access use cases.

Mitigation priorities

  • Harden and tightly administer Windows domain controllers as critical identity infrastructure.
  • Restrict and monitor privileged access capable of modifying domain controller authentication components.
  • Maintain strong change control and independent review for domain controller updates, security tooling, and authentication-related configuration changes.
  • Ensure incident response plans include domain controller isolation, forensic collection, credential reset strategy, and identity trust restoration steps.
  • Validate logging, retention, and evidence handling so investigations can distinguish legitimate administrative change from authentication-process tampering.
Analyst notes and limits

This take is based on the detection strategy DET0271 and its ATT&CK relationship to T1556.001 Domain Controller Authentication. The source object has no official detection text, platforms, tactics, aliases, or description of its own, so the practical guidance is derived conservatively from the related technique context.

ATT&CK does not provide detection logic, data source requirements, or platform metadata directly on this detection strategy object. Local architecture, domain controller logging, endpoint telemetry, and change-management evidence are required to determine actual coverage and risk.

Official MITRE ATT&CK definition

Detect Domain Controller Authentication Process Modification (Skeleton Key)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1556.001 Domain Controller Authentication Sub-technique This object detects Domain Controller Authentication.
Relationship explorer

All related ATT&CK context

detects · Technique T1556.001: Domain Controller Authentication Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
53cf45330fcfb17e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 53cf45330fcf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0271
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use