T1556.004 Network Device Authentication Mappings

Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.

Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1556.004 Network Device Authentication
AC-20 Use of External Systems Protects T1556.004 Network Device Authentication
AC-3 Access Enforcement Protects T1556.004 Network Device Authentication
AC-5 Separation of Duties Protects T1556.004 Network Device Authentication
AC-6 Least Privilege Protects T1556.004 Network Device Authentication
AC-7 Unsuccessful Logon Attempts Protects T1556.004 Network Device Authentication
CM-2 Baseline Configuration Protects T1556.004 Network Device Authentication
CM-5 Access Restrictions for Change Protects T1556.004 Network Device Authentication
CM-6 Configuration Settings Protects T1556.004 Network Device Authentication
IA-2 Identification and Authentication (organizational Users) Protects T1556.004 Network Device Authentication
IA-5 Authenticator Management Protects T1556.004 Network Device Authentication
SI-4 System Monitoring Protects T1556.004 Network Device Authentication
SI-7 Software, Firmware, and Information Integrity Protects T1556.004 Network Device Authentication
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.004 Modify Authentication Process: Network Device Authentication
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.004 Modify Authentication Process: Network Device Authentication