KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 27 AD Skeleton Key LSASS Patch

Query

// =========================================================
// RULE-27 | AD-SkeletonKey-LSASS-Patch
// Description : Skeleton Key attack detection — Mimikatz
//               misc::skeleton injects a master backdoor
//               password into the running LSASS on each DC.
//               Detected via:
//               1. Event 4611 — Trusted Logon Process
//                  Registered (LSA package injection signal)
//               2. Event 4688 — Process Creation with
//                  Mimikatz command misc::skeleton
//               3. DeviceEvents (MDE) — LSASS write access
//                  from an unexpected process
//               Since this is in-memory only (no file on
//               disk), it's lost on reboot — but very
//               dangerous while active.
// Severity    : Critical
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1556.001 — Modify Authentication Process:
//               Domain Controller Authentication
// Tables      : SecurityEvent, DeviceEvents (MDE optional)
// =========================================================

let LookBack = 15m;

// Signal 1: Event 4611 — new trusted logon process on DC
// (unusual LSA package registration = possible SSP injection)
let Via4611 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4611
    | where not(LogonProcessName has_any (
        "Authz", "NTLM", "Kerberos", "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
        "NtLmSsp", "WDigest", "schannel", "msv1_0", "negotiate",
        "CredSSP", "CREDSSP"
    ))
    | extend
        Source     = "Event4611_UnknownLSAPackage",
        Actor      = SubjectUserName,
        Detail     = LogonProcessName,
        Host       = Computer;

// Signal 2: Mimikatz skeleton key command via process creation
let Via4688 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4688
    | where CommandLine has_any ("misc::skeleton", "skeleton",
                                  "lsadump::lsp", "memssp")
    | extend
        Source     = "Event4688_Mimikatz_Skeleton",
        Actor      = SubjectUserName,
        Detail     = CommandLine,
        Host       = Computer;

// Signal 3: MDE — process writing to LSASS from suspicious process
let ViaMDE = DeviceEvents
    | where TimeGenerated > ago(LookBack)
    | where ActionType == "OpenProcessApiCall"
    | where FileName =~ "lsass.exe"
    | where not(InitiatingProcessFileName in~ (
        "MsMpEng.exe", "csrss.exe", "wininit.exe", "winlogon.exe",
        "svchost.exe", "lsaiso.exe", "taskmgr.exe", "services.exe"
    ))
    | extend
        Source     = "MDE_LSASS_Write_Suspicious",
        Actor      = InitiatingProcessAccountName,
        Detail     = strcat(InitiatingProcessFileName, " PID:", tostring(InitiatingProcessId)),
        Host       = DeviceName;

union Via4611, Via4688, ViaMDE
| extend
    Severity = "Critical",
    WhySuspicious = strcat(
        "SkeletonKey_LSASS_Injection_Indicator; ",
        "Source: ", Source, "; ",
        "Actor: ", Actor, "; ",
        "Detail: ", Detail
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    Actor,
    Detail,
    Source,
    Host
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific type of cyber attack known as the "Skeleton Key" attack, which targets domain controllers by injecting a backdoor password into the LSASS process. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify suspicious activities related to the Skeleton Key attack, which is often executed using the Mimikatz tool. This attack allows unauthorized access to domain controllers by modifying the authentication process.

  2. Detection Signals:

    • Signal 1: Looks for unusual logon processes (Event ID 4611) on domain controllers that might indicate an unauthorized injection into the LSASS process.
    • Signal 2: Searches for process creation events (Event ID 4688) where commands associated with Mimikatz's Skeleton Key functionality are executed.
    • Signal 3: Monitors for processes that attempt to write to the LSASS process from unexpected or suspicious sources, using data from DeviceEvents.

  3. Severity and Frequency: The query is set to run every 15 minutes and looks back over the last 15 minutes of data. The severity of detected events is marked as "Critical" due to the potential impact of the attack.

  4. Output: The query combines results from the three detection signals and provides a summary that includes:

    • The time the suspicious activity was detected.
    • The severity level ("Critical").
    • A description of why the activity is suspicious.
    • Details about the actor (user or process) involved, the specific details of the suspicious activity, the source of the detection, and the host (computer) where it was detected.

  5. MITRE ATT&CK Framework: The attack is mapped to the MITRE ATT&CK technique T1556.001, which involves modifying the authentication process on domain controllers.

In essence, this query is a security measure to detect and alert on potential Skeleton Key attacks, which can compromise the security of a network by allowing unauthorized access to sensitive systems.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEventDeviceEvents

Keywords

SecurityEventDeviceEventsMimikatzLSASSDomainController

Operators

letago()wherehas_any()extendunion=~in~strcat()tostring()projectorder by

Actions