T1556 Modify Authentication Process
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.
||T1556.001, T1556.002, T1556.003, T1556.004, T1556.005, T1556.006, T1556.007, T1556.008
||TA0006, TA0005, TA0003
||Azure AD, Google Workspace, IaaS, Linux, Network, Office 365, SaaS, Windows, macOS
||11 February 2020
||11 April 2023
||Ebury can intercept private keys using a trojanized
||Kessel has trojanized the ssh_login and
user-auth_pubkey functions to steal plaintext credentials.
||SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.
||Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.
||Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
||Operating System Configuration
||Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (
C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in
AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.
||Privileged Account Management
||Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
||Privileged Process Integrity
||Enabled features, such as Protected Process Light (PPL), for LSA.
||Restrict File and Directory Permissions
||Restrict write access to the
||Restrict Registry Permissions
||Restrict Registry permissions to disallow the modification of sensitive Registry keys such as
||User Account Management
||Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.