Skip to content

DET0104 Detect Modification of Authentication Processes Across Platforms

Item Value
ID DET0104
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1556 (Modify Authentication Process)

Analytics

Windows

AN0287

Detects modification of LSASS and authentication DLLs, suspicious registry changes to password filter packages, and abnormal process access to lsass.exe. Correlates registry modifications, DLL loads, and process handle access events.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
MonitoredRegistryKeys Specific LSASS and password filter registry paths monitored for modification.
TimeWindow Correlation window between registry change, DLL load, and lsass.exe access.

Linux

AN0288

Detects modification of PAM configuration files, unauthorized new PAM modules, and suspicious process execution accessing PAM-related binaries. Correlates file modification events in /etc/pam.d/ with process execution of unauthorized binaries.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open, write
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
WatchedPaths Critical PAM directories and configuration files monitored for modification.

macOS

AN0289

Detects unauthorized additions or changes to /Library/Security/SecurityAgentPlugins and suspicious process activity attempting to hook authentication APIs. Correlates file modifications with abnormal plugin loads in authentication flows.

Log Sources
Data Component Name Channel
File Modification (DC0061) macos:unifiedlog SecurityAgentPlugins modification
Process Access (DC0035) macos:osquery process_open
Mutable Elements
Field Description
PluginPaths List of approved authentication plugin directories to baseline.

Identity Provider

AN0290

Detects suspicious configuration changes in IdP authentication flows such as enabling reversible password encryption, MFA bypass, or policy weakening. Correlates policy modification events with unusual administrative activity.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) azure:policy UpdatePolicy
User Account Modification (DC0010) m365:unified Set-ADUser OR Set-ADAccountControl
Mutable Elements
Field Description
PolicyBaseline Expected authentication-related policy configurations to compare against.

IaaS

AN0291

Detects unauthorized changes to IAM authentication configurations such as disabling MFA, creating backdoor access keys, or altering trust policies. Correlates identity policy updates with unusual login behavior.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) AWS:CloudTrail UpdateLoginProfile
Cloud Service Modification (DC0069) AWS:CloudTrail UpdateAccountPasswordPolicy
Mutable Elements
Field Description
ApprovedAccounts Baseline list of service accounts expected to modify IAM authentication policies.