Description
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.
Platforms
Sub-Techniques (9)
Domain Controller Authentication
T1556.002Password Filter DLL
T1556.003Pluggable Authentication Modules
T1556.004Network Device Authentication
T1556.005Reversible Encryption
T1556.006Multi-Factor Authentication
T1556.007Hybrid Identity
T1556.008Network Provider DLL
T1556.009Conditional Access Policies
Mitigations (9)
Restrict Registry PermissionsM1024
Restrict Registry permissions to disallow the modification of sensitive Registry keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
Multi-factor AuthenticationM1032
Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
Password PoliciesM1027
Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.(Citation: store_pwd_rev_enc)
Restrict File and Directory PermissionsM1022
Restrict write access to the /Library/Security/SecurityAgentPlugins directory.
User Account ManagementM1018
Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.
Privileged Account ManagementM1026
Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be a
Privileged Process IntegrityM1025
Enabled features, such as Protected Process Light (PPL), for LSA.(Citation: Microsoft LSA)
AuditM1047
Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.
Periodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones.(Citation: Mandiant Azure AD Backdoors) If ADFS is in use, review DLLs
Operating System ConfigurationM1028
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.
Starting in Windows 11 22H2, the EnableMPRNotifications policy can be disabled through Grou
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous ap... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) can intercept private keys using a trojanized <code>ssh-add</code> function.(Citation: ESET Ebury Feb... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a reg... |
| S0487 | Kessel | Malware | [Kessel](https://attack.mitre.org/software/S0487) has trojanized the <sode>ssh_login</code> and <code>user-auth_pubkey</code> functions to steal plain... |
| S9013 | DRYHOOK | Malware | [DRYHOOK](https://attack.mitre.org/software/S9013) has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure V... |
Frequently Asked Questions
What is T1556 (Modify Authentication Process)?
T1556 is a MITRE ATT&CK technique named 'Modify Authentication Process'. It belongs to the Defense Impairment, Persistence, Credential Access tactic(s). Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such...
How can T1556 be detected?
Detection of T1556 (Modify Authentication Process) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1556?
There are 9 documented mitigations for T1556. Key mitigations include: Restrict Registry Permissions, Multi-factor Authentication, Password Policies, Restrict File and Directory Permissions, User Account Management.
Which threat groups use T1556?
Known threat groups using T1556 include: FIN13.