Esc
Modify Authentication Process - T1556
(ATT&CK® Technique)
Definition
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1556["Modify Authentication Process"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1556 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1556 href "/offensive-technique/attack/T1556/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1556["Modify Authentication Process"] --> |creates| SharedLibraryFile["Shared Library File"]; class T1556 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1556 href "/offensive-technique/attack/T1556/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1556["Modify Authentication Process"] --> |may-modify| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1556 OffensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
click T1556 href "/offensive-technique/attack/T1556/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; T1556["Modify Authentication Process"] --> |may-modify| OperatingSystemSharedLibraryFile["Operating System Shared Library File"]; class T1556 OffensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode; click OperatingSystemSharedLibraryFile href "/dao/artifact/d3f:OperatingSystemSharedLibraryFile";
click T1556 href "/offensive-technique/attack/T1556/"; click OperatingSystemSharedLibraryFile href "/dao/artifact/d3f:OperatingSystemSharedLibraryFile"; T1556["Modify Authentication Process"] --> |modifies| AuthenticationService["Authentication Service"]; class T1556 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1556 href "/offensive-technique/attack/T1556/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1556["Modify Authentication Process"] ;
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1556["Modify Authentication Process"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1556["Modify Authentication Process"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1556["Modify Authentication Process"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
FileEviction["File Eviction"] -.->
| may-evict | T1556["Modify Authentication Process"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | SharedLibraryFile["Shared Library File"];
class FileEviction DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1556["Modify Authentication Process"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1556["Modify Authentication Process"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1556["Modify Authentication Process"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1556["Modify Authentication Process"] ;
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1556["Modify Authentication Process"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1556["Modify Authentication Process"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1556["Modify Authentication Process"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1556["Modify Authentication Process"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1556["Modify Authentication Process"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; RestoreFile["Restore File"] -->
| restores | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
RestoreFile["Restore File"] -.->
| may-restore | T1556["Modify Authentication Process"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemConfigurationFile["Operating System Configuration File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1556["Modify Authentication Process"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1556["Modify Authentication Process"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1556["Modify Authentication Process"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1556["Modify Authentication Process"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1556["Modify Authentication Process"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SharedLibraryFile["Shared Library File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1556["Modify Authentication Process"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1556["Modify Authentication Process"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";