Description
Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)
Platforms
Mitigations (2)
Privileged Account ManagementM1026
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
Multi-factor AuthenticationM1032
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. (Citation: Cisco IOS Software Integrity Assurance - TACACS)
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1104 | SLOWPULSE | Malware | [SLOWPULSE](https://attack.mitre.org/software/S1104) can modify LDAP and two factor authentication flows by inspecting login credentials and forcing s... |
| S0519 | SYNful Knock | Malware | [SYNful Knock](https://attack.mitre.org/software/S0519) has the capability to add its own custom backdoor password when it modifies the operating syst... |
| S9013 | DRYHOOK | Malware | [DRYHOOK](https://attack.mitre.org/software/S9013) has patched victim appliances authentication routines to capture credentials in plaintext as users ... |
References
Frequently Asked Questions
What is T1556.004 (Network Device Authentication)?
T1556.004 is a MITRE ATT&CK technique named 'Network Device Authentication'. It belongs to the Defense Impairment, Persistence, Credential Access tactic(s). Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local ac...
How can T1556.004 be detected?
Detection of T1556.004 (Network Device Authentication) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1556.004?
There are 2 documented mitigations for T1556.004. Key mitigations include: Privileged Account Management, Multi-factor Authentication.
Which threat groups use T1556.004?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.