Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows or pluggable authentication modules (PAM) on Unix-based systems, responsible for gathering, storing, and validating credentials.
Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1556 | Modify Authentication Process | |
| AC-20 | Use of External Systems | Protects | T1556 | Modify Authentication Process | |
| AC-3 | Access Enforcement | Protects | T1556 | Modify Authentication Process | |
| AC-5 | Separation of Duties | Protects | T1556 | Modify Authentication Process | |
| AC-6 | Least Privilege | Protects | T1556 | Modify Authentication Process | |
| AC-7 | Unsuccessful Logon Attempts | Protects | T1556 | Modify Authentication Process | |
| CA-7 | Continuous Monitoring | Protects | T1556 | Modify Authentication Process | |
| CM-5 | Access Restrictions for Change | Protects | T1556 | Modify Authentication Process | |
| CM-6 | Configuration Settings | Protects | T1556 | Modify Authentication Process | |
| CM-7 | Least Functionality | Protects | T1556 | Modify Authentication Process | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1556 | Modify Authentication Process | |
| IA-5 | Authenticator Management | Protects | T1556 | Modify Authentication Process | |
| SC-39 | Process Isolation | Protects | T1556 | Modify Authentication Process | |
| SI-4 | System Monitoring | Protects | T1556 | Modify Authentication Process | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1556 | Modify Authentication Process | |
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1556 | Modify Authentication Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1556 | Modify Authentication Process |
Comments
The Azure Sentinel Hunting "Azure DevOps Conditional Access Disabled" query can identify potentially malicious modifications of the DevOps access policy.
The Azure Sentinel Analytics "MFA disabled for a user" and "GitHub Two Factor Auth Disable" queries can detect potentially malicious changes in multi-factor authentication settings.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1556 | Modify Authentication Process |
Comments
This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1556 | Modify Authentication Process |
Comments
This control is effective for detecting the Registry and file system artifacts that are generated during the execution of some variations of this technique while minimizing false positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1556.001 | Domain Controller Authentication | 15 |
| T1556.004 | Network Device Authentication | 13 |
| T1556.002 | Password Filter DLL | 4 |
| T1556.003 | Pluggable Authentication Modules | 14 |