EXPLORE
Sign In
← Back to Explore
T1556

Modify Authentication Process

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an au...

IaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
77
Detections
5
Sources
1
Threat Actors

BY SOURCE

42elastic19splunk_escu12sigma2crowdstrike_cql2kql

PROCEDURES (41)

Authentication Monitoring10 detections

Auto-extracted: 10 detections for authentication monitoring

General Monitoring8 detections

Auto-extracted: 8 detections for general monitoring

Bypass4 detections

Auto-extracted: 4 detections for bypass

Credential3 detections

Auto-extracted: 3 detections for credential

Credential3 detections

Auto-extracted: 3 detections for credential

Unusual2 detections

Auto-extracted: 2 detections for unusual

Api2 detections

Auto-extracted: 2 detections for api

Azure2 detections

Auto-extracted: 2 detections for azure

Cloud2 detections

Auto-extracted: 2 detections for cloud

Registry2 detections

Auto-extracted: 2 detections for registry

Spray2 detections

Auto-extracted: 2 detections for spray

Aws1 detections

Auto-extracted: 1 detections for aws

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Token1 detections

Auto-extracted: 1 detections for token

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Azure1 detections

Auto-extracted: 1 detections for azure

C21 detections

Auto-extracted: 1 detections for c2

Aws1 detections

Auto-extracted: 1 detections for aws

Privilege1 detections

Auto-extracted: 1 detections for privilege

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Azure1 detections

Auto-extracted: 1 detections for azure

C21 detections

Auto-extracted: 1 detections for c2

Token1 detections

Auto-extracted: 1 detections for token

Inject1 detections

Auto-extracted: 1 detections for inject

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (1)

FIN13

DETECTIONS (77)

Account Password Not Required Changed (UAC Bypass) – Microsoft Defender for Identity
crowdstrike_cql
Attempt to Deactivate an Okta Policy
elasticlow
Attempt to Deactivate an Okta Policy Rule
elasticmedium
Attempt to Delete an Okta Policy
elasticmedium
Attempt to Modify an Okta Policy
elasticlow
Attempt to Reset MFA Factors for an Okta User Account
elasticlow
Authentication via Unusual PAM Grantor
elasticmedium
Authorization Plugin Modification
elasticmedium
AWS IAM Deactivation of MFA Device
elasticmedium
AWS IAM Roles Anywhere Trust Anchor Created with External CA
elasticmedium
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elasticmedium
AWS Identity Center Identity Provider Change
sigmahigh
AWS RDS DB Instance Made Public
elasticmedium
AWS STS AssumeRole with New MFA Device
elasticlow
CA Policy Removed by Non Approved Actor
sigmamedium
CA Policy Updated by Non Approved Actor
sigmamedium
Certificate-Based Authentication Enabled
sigmamedium
Change Conditional Access Policy
kql
Change to Authentication Method
sigmamedium
Cisco Duo Admin Login Unusual Browser
splunk_escu
Cisco Duo Admin Login Unusual Country
splunk_escu
Cisco Duo Admin Login Unusual Os
splunk_escu
Cisco Duo Bulk Policy Deletion
splunk_escu
Cisco Duo Bypass Code Generation
splunk_escu
Cisco Duo Policy Allow Devices Without Screen Lock
splunk_escu
Cisco Duo Policy Allow Network Bypass 2FA
splunk_escu
Cisco Duo Policy Allow Old Flash
splunk_escu
Cisco Duo Policy Allow Old Java
splunk_escu
Cisco Duo Policy Allow Tampered Devices
splunk_escu
Cisco Duo Policy Bypass 2FA
splunk_escu
Cisco Duo Policy Deny Access
splunk_escu
Cisco Duo Policy Skip 2FA for Other Countries
splunk_escu
Cisco Duo Set User Status to Bypass 2FA
splunk_escu
Cisco Network Interface Modifications
splunk_escu
Deletion Conditional Access Policy
kql
Directory Service Restore Mode(DSRM) Registry Value Tampering
sigmahigh
Disable Strong Authentication (Microsoft Entra ID)
crowdstrike_cql
Disabled MFA to Bypass Authentication Mechanisms
sigmamedium
Disabling Windows Local Security Authority Defences via Registry
splunk_escu
Entra ID Conditional Access Policy (CAP) Modified
elasticmedium
Entra ID Domain Federation Configuration Change
elastichigh
Entra ID External Authentication Methods (EAM) Modified
elasticmedium
Entra ID MFA Disabled for User
elasticmedium
Entra ID Protection - Risk Detection - Sign-in Risk
elastichigh
Entra ID Protection - Risk Detection - User Risk
elastichigh
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Github High Risk Configuration Disabled
sigmahigh
Google Workspace 2SV Policy Disabled
elasticmedium
Google Workspace MFA Enforcement Disabled
elasticmedium
MFA Deactivation with no Re-Activation for Okta User Account
elasticlow
MFA Disabled for Google Workspace Organization
elasticmedium
Mimikatz Memssp Log File Detected
elastichigh
Modification or Removal of an Okta Application Sign-On Policy
elasticmedium
Network Logon Provider Registry Modification
elasticmedium
New Okta Identity Provider (IdP) Added by Admin
elasticmedium
New Root Certificate Authority Added
sigmamedium
O365 Disable MFA
splunk_escu
O365 Excessive SSO logon errors
splunk_escu
Okta Phishing Detection with FastPass Origin Check
splunk_escu
Pluggable Authentication Module (PAM) Creation in Unusual Directory
elasticlow
Pluggable Authentication Module (PAM) Source Download
elasticmedium
Pluggable Authentication Module (PAM) Version Discovery
elasticlow
Pluggable Authentication Module or Configuration Creation
elasticmedium
Polkit Policy Creation
elasticlow
Possible Shadow Credentials Added
sigmahigh
Potential Backdoor Execution Through PAM_EXEC
elasticmedium
Potential Execution via SSH Backdoor
elasticmedium
Potential OpenSSH Backdoor Logging Activity
elasticlow
Potential Persistence via File Modification
elasticlow
Potential Shadow Credentials added to AD Object
elastichigh
Potential SSH Password Grabbing via strace
elasticmedium
Renaming of OpenSSH Binaries
elasticlow
Stolen Credentials Used to Login to Okta Account After MFA Reset
elastichigh
Untrusted DLL Loaded by Azure AD Connect Authentication Agent
elastichigh
Unusual Process Modifying GenAI Configuration File
elasticmedium
User Added To Group With CA Policy Modification Access
sigmamedium
User Removed From Group With CA Policy Modification Access
sigmamedium