Skip to content

DET0272 Detect Modification of Network Device Authentication via Patched System Images

Item Value
ID DET0272
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1556.004 (Network Device Authentication)

Analytics

Network Devices

AN0758

Detects unauthorized modification of network device authentication by correlating OS image file changes, checksum mismatches, or memory verification failures with anomalous authentication events. Focus is on behaviors where patched images introduce hardcoded passwords or bypass native authentication.

Log Sources
Data Component Name Channel
File Modification (DC0061) networkconfig unexpected OS image file upload or modification events
User Account Authentication (DC0002) network:auth repeated successful authentications with previously unknown accounts or anomalous password acceptance
Mutable Elements
Field Description
BaselineChecksums Trusted baseline cryptographic hashes for OS images, used to detect unauthorized modifications.
AuthFailureThreshold Threshold for correlating unusual authentication successes following failed attempts or unknown account use.
VerificationInterval Frequency of runtime OS image and memory integrity checks.