T1556 Modify Authentication Process

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.

Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1556 Modify Authentication Process
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1556 Modify Authentication Process
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.AA-05.02 Privileged system access Mitigates T1556 Modify Authentication Process
      Comments
      This diagnostic statement protects against Modify Authentication Process through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-09.01 Software and data integrity checking Mitigates T1556 Modify Authentication Process
        Comments
        This diagnostic statement protects against Modify Authentication Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
        References
          DE.CM-06.02 Third-party access monitoring Mitigates T1556 Modify Authentication Process
          Comments
          This diagnostic statement protects against Modify Authentication Process through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
          References
            PR.AA-02.01 Authentication of identity Mitigates T1556 Modify Authentication Process
            Comments
            This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials.
            References
              DE.CM-09.03 Unauthorized software, hardware, or configuration changes Mitigates T1556 Modify Authentication Process
              Comments
              This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
              References
                PR.PS-01.03 Configuration deviation Mitigates T1556 Modify Authentication Process
                Comments
                This diagnostic statement provides protection from Modify Authentication Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
                References
                  PR.PS-01.07 Cryptographic keys and certificates Mitigates T1556 Modify Authentication Process
                  Comments
                  This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify authentication processes.
                  References
                    DE.CM-03.03 Privileged account monitoring Mitigates T1556 Modify Authentication Process
                    Comments
                    This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
                    References
                      PR.AA-01.02 Physical and logical access Mitigates T1556 Modify Authentication Process
                      Comments
                      This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
                      References
                        PR.AA-03.01 Authentication requirements Mitigates T1556 Modify Authentication Process
                        Comments
                        This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
                        References
                          PR.IR-01.05 Remote access protection Mitigates T1556 Modify Authentication Process
                          Comments
                          This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
                          References
                            PR.AA-01.01 Identity and credential management Mitigates T1556 Modify Authentication Process
                            Comments
                            This diagnostic statement protects against Modify Authentication Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                            References

                              NIST 800-53 Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              CA-07 Continuous Monitoring mitigates T1556 Modify Authentication Process
                              CM-06 Configuration Settings mitigates T1556 Modify Authentication Process
                              CM-05 Access Restrictions for Change mitigates T1556 Modify Authentication Process
                              IA-05 Authenticator Management mitigates T1556 Modify Authentication Process
                              IA-13 Identity Providers and Authorization Servers mitigates T1556 Modify Authentication Process
                              SC-39 Process Isolation mitigates T1556 Modify Authentication Process
                              SI-07 Software, Firmware, and Information Integrity mitigates T1556 Modify Authentication Process
                              AC-20 Use of External Systems mitigates T1556 Modify Authentication Process
                              CM-02 Baseline Configuration mitigates T1556 Modify Authentication Process
                              IA-02 Identification and Authentication (Organizational Users) mitigates T1556 Modify Authentication Process
                              CM-07 Least Functionality mitigates T1556 Modify Authentication Process
                              SI-04 System Monitoring mitigates T1556 Modify Authentication Process
                              AC-02 Account Management mitigates T1556 Modify Authentication Process
                              AC-03 Access Enforcement mitigates T1556 Modify Authentication Process
                              AC-05 Separation of Duties mitigates T1556 Modify Authentication Process
                              AC-06 Least Privilege mitigates T1556 Modify Authentication Process
                              AC-07 Unsuccessful Logon Attempts mitigates T1556 Modify Authentication Process

                              VERIS Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1556 Modify Authentication Process
                              action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1556 Modify Authentication Process
                              attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556 Modify Authentication Process
                              attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556 Modify Authentication Process

                              Azure Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              microsoft_sentinel Microsoft Sentinel technique_scores T1556 Modify Authentication Process
                              Comments
                              The Microsoft Sentinel Hunting "Azure DevOps Conditional Access Disabled" query can identify potentially malicious modifications of the DevOps access policy. The Microsoft Sentinel Analytics "MFA disabled for a user" and "GitHub Two Factor Auth Disable" queries can detect potentially malicious changes in multi-factor authentication settings.
                              References
                              file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1556 Modify Authentication Process
                              Comments
                              This control is effective for detecting the Registry and file system artifacts that are generated during the execution of some variations of this technique while minimizing false positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
                              References
                              ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1556 Modify Authentication Process
                              Comments
                              This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
                              References
                              azure_role_based_access_control Azure Role-Based Access Control technique_scores T1556 Modify Authentication Process
                              Comments
                              This control can protect against modification of the authentication process by limiting access.
                              References

                              GCP Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              advanced_protection_program Advanced Protection Program technique_scores T1556 Modify Authentication Process
                              Comments
                              Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
                              References
                              identity_platform Identity Platform technique_scores T1556 Modify Authentication Process
                              Comments
                              Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can be used to restrict access to cloud resources and APIs and provide protection against an adversaries that try to access user credentials.
                              References

                              M365 Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              PUR-AUS-E5 Audit Solutions Technique Scores T1556 Modify Authentication Process
                              Comments
                              Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft's Audit Solutions protects from Modify Authentication Process attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended. License Requirements: Microsoft 365 E3 and E5
                              References
                              DEF-ID-E5 Microsoft Defender for Identity Technique Scores T1556 Modify Authentication Process
                              Comments
                              This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
                              References
                              DEF-SECA-E3 Security Alerts Technique Scores T1556 Modify Authentication Process
                              Comments
                              Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
                              References
                              EID-IDPR-E5 ID Protection Technique Scores T1556 Modify Authentication Process
                              Comments
                              During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2
                              References
                              DEF-IR-E5 Incident Response Technique Scores T1556 Modify Authentication Process
                              Comments
                              An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Modify Authentication Process attacks due to Incident Response monitoring for newly created files, suspicious modification of files, and newly constructed logon behavior across systems that share accounts. License Requirements: Microsoft Defender XDR
                              References
                              EID-RBAC-E3 Role Based Access Control Technique Scores T1556 Modify Authentication Process
                              Comments
                              The RBAC control can be used to limit cloud accounts with authentication modification relevant privileges, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives a score of minimal. License Requirements: ME-ID Built-in Roles (Free)
                              References
                              DEF-ATH-E5 Advanced Threat Hunting Technique Scores T1556 Modify Authentication Process
                              Comments
                              Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch. Advanced Threat Hunting Detects Modify-Authentication Process attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps. License Requirements: Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
                              References
                              DEF-APGV-E5 App Governance Technique Scores T1556 Modify Authentication Process
                              Comments
                              App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization App Governance Detects Modify Authentication attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's. License Requirements: Microsoft Defender for Cloud Apps
                              References
                              EID-PIM-E5 Privileged Identity Management Technique Scores T1556 Modify Authentication Process
                              Comments
                              The PIM control significantly protects against the modification of Multi-Factor Authentication by placing limitations and restrictions on relevant privileged accounts. However, this is overall Minimal coverage relative to the all the technique's sub-techniques. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance
                              References

                              ATT&CK Subtechniques

                              Technique ID Technique Name Number of Mappings
                              T1556.003 Pluggable Authentication Modules 22
                              T1556.002 Password Filter DLL 7
                              T1556.007 Hybrid Identity 17
                              T1556.008 Network Provider DLL 16
                              T1556.006 Multi-Factor Authentication 22
                              T1556.009 Conditional Access Policies 19
                              T1556.001 Domain Controller Authentication 28
                              T1556.005 Reversible Encryption 10
                              T1556.004 Network Device Authentication 24