S0007: Skeleton Key
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [1] Functionality similar to Skeleton Key is included as a module in Mimikatz.
Analyst context for executives and security teams
Skeleton Key matters because it targets the trust anchor of a Windows domain: the domain controller authentication process. If this type of malware is present, normal password-based access decisions may no longer prove that the legitimate user authenticated, because a backdoor password can be accepted by the domain controller. For leaders, this turns an identity compromise into a business-continuity and incident-response issue: account reviews alone may not be enough if authentication itself has been altered.
Executive priority
Prioritize this as a high-value identity infrastructure risk, not just endpoint malware. The supplied ATT&CK relationship maps Skeleton Key to Domain Controller Authentication, with persistence, credential access, and defense impairment implications. Executives should ask whether domain controllers receive stronger monitoring, change control, privileged access governance, and incident isolation procedures than standard servers. Audit and compliance evidence should be able to show who can administer domain controllers, how unauthorized authentication-process changes would be investigated, and how the organization would recover trust in Active Directory after suspected compromise.
Technical view
Skeleton Key is Windows malware associated with injecting false credentials into domain controllers to create a backdoor password. ATT&CK does not provide an official detection section for this software object, so SOC and IR teams should validate coverage around the related technique T1556.001, Domain Controller Authentication. Practical validation should focus on whether defenders can detect or investigate unauthorized changes to domain controller authentication behavior, suspicious privileged activity on domain controllers, unexpected software or module behavior on domain controllers, and anomalous successful authentication patterns that do not align with normal account usage. Relationship context notes APT5 has used this object, but that should be treated as historical ATT&CK context rather than evidence of current activity in any environment.
Likely telemetry
- Windows domain controller security and authentication logs
- Directory service and domain controller administrative activity logs
- Privileged account logon and session records involving domain controllers
- Endpoint or server telemetry from domain controllers, where collected
- Process, service, driver, and module inventory or integrity telemetry on domain controllers, where available
Detection direction
- Validate that domain controllers are monitored as critical identity infrastructure, not as ordinary Windows servers.
- Tune detections around unusual successful authentication patterns, especially privileged access that appears valid but conflicts with expected user, host, time, or administrative workflow context.
- Correlate domain controller administrative activity with approved change windows and authorized administrator identities.
- Review whether endpoint telemetry on domain controllers is deep enough to support investigation of authentication-process tampering; ATT&CK provides no official detection logic for this object.
- Account for false positives from legitimate domain controller maintenance, security tooling, and authentication infrastructure changes by tying alerts to change-management evidence.
Mitigation priorities
- Restrict and closely monitor administrative access to domain controllers.
- Apply strong change control and independent review for domain controller software, services, and security configuration changes.
- Ensure domain controllers are included in managed detection, incident response collection plans, and privileged access monitoring.
- Maintain recovery procedures for restoring trust in domain controllers if authentication tampering is suspected.
- Use segmentation and administrative tiering principles to reduce the number of systems and identities that can affect domain controllers.
Analyst notes and limits
The most decision-relevant point is the trust impact: Skeleton Key-style behavior can undermine confidence in domain authentication itself. The object is linked to APT5 usage and to T1556.001 Domain Controller Authentication. The official description also notes similar functionality exists as a module in Mimikatz, which reinforces the need to assess behavior and control coverage rather than only one malware name.
ATT&CK provides no official detection guidance for this software object, no explicit tactics on the malware object itself, and only Windows platform scope. This take therefore relies on the supplied description and relationship to T1556.001. Local conclusions require environment-specific evidence from domain controllers, identity logs, administrative workflows, and incident response artifacts.
Skeleton Key
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [1] Functionality similar to Skeleton Key is included as a module in Mimikatz.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1556.001 | Domain Controller Authentication Sub-technique | Skeleton Key is used to patch an enterprise domain controller authentication process with a backdoor password. It allows adversaries to bypass the standard authentication system to use a defined password for all accounts authenticating to that domain controller.CitationDell Skeleton |
Groups, software, and campaigns
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | dac2aa2e8417… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dell Skeleton
Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.
Open source URL -
[2]
mitre-attack S0007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.