T1556.004 Network Device Authentication
Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.1
| Item | Value |
|---|---|
| ID | T1556.004 |
| Sub-techniques | T1556.001, T1556.002, T1556.003, T1556.004, T1556.005, T1556.006, T1556.007, T1556.008 |
| Tactics | TA0006, TA0005, TA0003 |
| Platforms | Network |
| Permissions required | Administrator |
| Version | 2.0 |
| Created | 19 October 2020 |
| Last Modified | 14 December 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0519 | SYNful Knock | SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. 4 |
| M1026 | Privileged Account Management | Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0022 | File | File Modification |
References
-
Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. ↩↩
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. ↩
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. ↩
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020. ↩