Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1556 | Modify Authentication Process |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-14 | Strong Authentication | mitigates | T1556 | Modify Authentication Process |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| I&S-04 | OS Hardening and Base Controls | mitigates | T1556 | Modify Authentication Process |
Comments
This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Restricting access to cloud resources and APIs can reduce the risk of adversaries modifying authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.
References
|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1556 | Modify Authentication Process |
Comments
This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from modifying or manipulating authentication mechanisms.
References
|
| IAM-05 | Least Privilege | mitigates | T1556 | Modify Authentication Process |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, in terms of mitigation, ensure that proper cloud policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.
References
|
| IAM-02 | Strong Password Policy and Procedures | mitigates | T1556 | Modify Authentication Process |
Comments
This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes.
For this technique, adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. In terms of mitigation, integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials, then attempting to modify the authentication process that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1556.007 | Hybrid Identity | 8 |
| T1556.006 | Multi-Factor Authentication | 3 |
| T1556.009 | Conditional Access Policies | 6 |