Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-01.01 | Configuration baselines | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
PR.PS-01.02 | Least functionality | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
PR.AA-05.02 | Privileged system access | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of privileged account management and the use of multi-factor authentication.
References
|
DE.CM-09.01 | Software and data integrity checking | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
PR.AA-02.01 | Authentication of identity | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials.
References
|
DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1556 | Modify Authentication Process |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides protection from Modify Authentication Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify authentication processes.
References
|
DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
PR.AA-01.02 | Physical and logical access | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
PR.AA-03.01 | Authentication requirements | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
PR.IR-01.05 | Remote access protection | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Backdoor | Hacking action that creates a backdoor for use. | related-to | T1556 | Modify Authentication Process | |
action.hacking.vector.Backdoor | Hacking actions taken through a backdoor. C2 is only used by malware. | related-to | T1556 | Modify Authentication Process | |
attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1556 | Modify Authentication Process | |
attribute.integrity.variety.Modify privileges | Modified privileges or permissions | related-to | T1556 | Modify Authentication Process |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1556 | Modify Authentication Process |
Comments
The Microsoft Sentinel Hunting "Azure DevOps Conditional Access Disabled" query can identify potentially malicious modifications of the DevOps access policy.
The Microsoft Sentinel Analytics "MFA disabled for a user" and "GitHub Two Factor Auth Disable" queries can detect potentially malicious changes in multi-factor authentication settings.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1556 | Modify Authentication Process |
Comments
This control is effective for detecting the Registry and file system artifacts that are generated during the execution of some variations of this technique while minimizing false positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1556 | Modify Authentication Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1556 | Modify Authentication Process |
Comments
This control can protect against modification of the authentication process by limiting access.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
advanced_protection_program | Advanced Protection Program | technique_scores | T1556 | Modify Authentication Process |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
References
|
identity_platform | Identity Platform | technique_scores | T1556 | Modify Authentication Process |
Comments
Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can be used to restrict access to cloud resources and APIs and provide protection against an adversaries that try to access user credentials.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PUR-AUS-E5 | Audit Solutions | Technique Scores | T1556 | Modify Authentication Process |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Modify Authentication Process attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.
License Requirements:
Microsoft 365 E3 and E5
References
|
DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1556 | Modify Authentication Process |
Comments
This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
DEF-SECA-E3 | Security Alerts | Technique Scores | T1556 | Modify Authentication Process |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
EID-IDPR-E5 | ID Protection | Technique Scores | T1556 | Modify Authentication Process |
Comments
During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.
Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.
License Requirements:
Microsoft Entra ID P2
References
|
DEF-IR-E5 | Incident Response | Technique Scores | T1556 | Modify Authentication Process |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Modify Authentication Process attacks due to Incident Response monitoring for newly created files, suspicious modification of files, and newly constructed logon behavior across systems that share accounts.
License Requirements:
Microsoft Defender XDR
References
|
EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1556 | Modify Authentication Process |
Comments
The RBAC control can be used to limit cloud accounts with authentication modification relevant privileges, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives a score of minimal.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
DEF-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1556 | Modify Authentication Process |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Modify-Authentication Process attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
DEF-APGV-E5 | App Governance | Technique Scores | T1556 | Modify Authentication Process |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Modify Authentication attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.
License Requirements:
Microsoft Defender for Cloud Apps
References
|
EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1556 | Modify Authentication Process |
Comments
The PIM control significantly protects against the modification of Multi-Factor Authentication by placing limitations and restrictions on relevant privileged accounts. However, this is overall Minimal coverage relative to the all the technique's sub-techniques.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1556.003 | Pluggable Authentication Modules | 22 |
T1556.002 | Password Filter DLL | 7 |
T1556.007 | Hybrid Identity | 17 |
T1556.008 | Network Provider DLL | 16 |
T1556.006 | Multi-Factor Authentication | 22 |
T1556.009 | Conditional Access Policies | 19 |
T1556.001 | Domain Controller Authentication | 28 |
T1556.005 | Reversible Encryption | 10 |
T1556.004 | Network Device Authentication | 24 |