EXPLORE
Sign In
← Back to Explore
T1556

Modify Authentication Process

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an au...

WindowsLinuxmacOSNetwork DevicesIaaSSaaSOffice SuiteIdentity Provider
72
Detections
3
Sources
1
Threat Actors

BY SOURCE

41elastic19splunk_escu12sigma

PROCEDURES (39)

Authentication Monitoring10 detections

Auto-extracted: 10 detections for authentication monitoring

General Monitoring9 detections

Auto-extracted: 9 detections for general monitoring

Lateral4 detections

Auto-extracted: 4 detections for lateral

Aws3 detections

Auto-extracted: 3 detections for aws

Azure3 detections

Auto-extracted: 3 detections for azure

Registry3 detections

Auto-extracted: 3 detections for registry

Credential3 detections

Auto-extracted: 3 detections for credential

Api2 detections

Auto-extracted: 2 detections for api

Anomal2 detections

Auto-extracted: 2 detections for anomal

Bypass2 detections

Auto-extracted: 2 detections for bypass

Spray2 detections

Auto-extracted: 2 detections for spray

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Aws1 detections

Auto-extracted: 1 detections for aws

Lateral1 detections

Auto-extracted: 1 detections for lateral

Cloud1 detections

Auto-extracted: 1 detections for cloud

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Api1 detections

Auto-extracted: 1 detections for api

Unusual1 detections

Auto-extracted: 1 detections for unusual

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Persist1 detections

Auto-extracted: 1 detections for persist

C21 detections

Auto-extracted: 1 detections for c2

Bypass1 detections

Auto-extracted: 1 detections for bypass

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

Token1 detections

Auto-extracted: 1 detections for token

Lateral1 detections

Auto-extracted: 1 detections for lateral

Unusual1 detections

Auto-extracted: 1 detections for unusual

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

C21 detections

Auto-extracted: 1 detections for c2

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Cloud1 detections

Auto-extracted: 1 detections for cloud

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (1)

FIN13

DETECTIONS (72)

Attempt to Deactivate an Okta Policy
elasticlow
Attempt to Deactivate an Okta Policy Rule
elasticmedium
Attempt to Delete an Okta Policy
elasticmedium
Attempt to Modify an Okta Policy
elasticlow
Attempt to Reset MFA Factors for an Okta User Account
elasticlow
Authentication via Unusual PAM Grantor
elasticmedium
Authorization Plugin Modification
elasticmedium
AWS IAM Deactivation of MFA Device
elasticmedium
AWS IAM Roles Anywhere Trust Anchor Created with External CA
elasticmedium
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elasticmedium
AWS Identity Center Identity Provider Change
sigmahigh
AWS RDS DB Instance Made Public
elasticmedium
AWS STS AssumeRole with New MFA Device
elasticlow
CA Policy Removed by Non Approved Actor
sigmamedium
CA Policy Updated by Non Approved Actor
sigmamedium
Certificate-Based Authentication Enabled
sigmamedium
Change to Authentication Method
sigmamedium
Cisco Duo Admin Login Unusual Browser
splunk_escu
Cisco Duo Admin Login Unusual Country
splunk_escu
Cisco Duo Admin Login Unusual Os
splunk_escu
Cisco Duo Bulk Policy Deletion
splunk_escu
Cisco Duo Bypass Code Generation
splunk_escu
Cisco Duo Policy Allow Devices Without Screen Lock
splunk_escu
Cisco Duo Policy Allow Network Bypass 2FA
splunk_escu
Cisco Duo Policy Allow Old Flash
splunk_escu
Cisco Duo Policy Allow Old Java
splunk_escu
Cisco Duo Policy Allow Tampered Devices
splunk_escu
Cisco Duo Policy Bypass 2FA
splunk_escu
Cisco Duo Policy Deny Access
splunk_escu
Cisco Duo Policy Skip 2FA for Other Countries
splunk_escu
Cisco Duo Set User Status to Bypass 2FA
splunk_escu
Cisco Network Interface Modifications
splunk_escu
Directory Service Restore Mode(DSRM) Registry Value Tampering
sigmahigh
Disabled MFA to Bypass Authentication Mechanisms
sigmamedium
Disabling Windows Local Security Authority Defences via Registry
splunk_escu
Entra ID Conditional Access Policy (CAP) Modified
elasticmedium
Entra ID Domain Federation Configuration Change
elastichigh
Entra ID External Authentication Methods (EAM) Modified
elasticmedium
Entra ID MFA Disabled for User
elasticmedium
Entra ID Protection - Risk Detection - Sign-in Risk
elastichigh
Entra ID Protection - Risk Detection - User Risk
elastichigh
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Github High Risk Configuration Disabled
sigmahigh
Google Workspace 2SV Policy Disabled
elasticmedium
Google Workspace MFA Enforcement Disabled
elasticmedium
MFA Deactivation with no Re-Activation for Okta User Account
elasticlow
MFA Disabled for Google Workspace Organization
elasticmedium
Mimikatz Memssp Log File Detected
elastichigh
Modification or Removal of an Okta Application Sign-On Policy
elasticmedium
Network Logon Provider Registry Modification
elasticmedium
New Okta Identity Provider (IdP) Added by Admin
elasticmedium
New Root Certificate Authority Added
sigmamedium
O365 Disable MFA
splunk_escu
O365 Excessive SSO logon errors
splunk_escu
Okta Phishing Detection with FastPass Origin Check
splunk_escu
Pluggable Authentication Module (PAM) Creation in Unusual Directory
elasticlow
Pluggable Authentication Module (PAM) Source Download
elasticmedium
Pluggable Authentication Module (PAM) Version Discovery
elasticlow
Pluggable Authentication Module or Configuration Creation
elasticmedium
Polkit Policy Creation
elasticlow
Possible Shadow Credentials Added
sigmahigh
Potential Backdoor Execution Through PAM_EXEC
elasticmedium
Potential Execution via SSH Backdoor
elasticmedium
Potential OpenSSH Backdoor Logging Activity
elasticlow
Potential Persistence via File Modification
elasticlow
Potential Shadow Credentials added to AD Object
elastichigh
Potential SSH Password Grabbing via strace
elasticmedium
Renaming of OpenSSH Binaries
elasticlow
Stolen Credentials Used to Login to Okta Account After MFA Reset
elastichigh
Unusual Process Modifying GenAI Configuration File
elasticmedium
User Added To Group With CA Policy Modification Access
sigmamedium
User Removed From Group With CA Policy Modification Access
sigmamedium