Modify Authentication Process T1556

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.

Events covered

17 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 14 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (20 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID4eq 44103, 4104, 4688, 4768, 4882
Details3eq 1, in 1, starts_with 10, 0x00000000, ?, DWORD (0x00000000)
AttributeLDAPDisplayName2eq 2msds-keycredentiallink
CommandLine2contains 2, starts_with 1/cfg, /configure, /db, hklm\system\currentcontrolset\control\lsa, reg add
EventType2eq 2, in 1ConnectionSuccess, FileCreated, FileModified, deleted, modified
TargetObject2ends_with 1, wildcard 1\control\lsa\dsrmadminlogonbehavior, \registry\machine\system\*controlset*\services\*\networkp..., hklm\system\*controlset*\services\*\networkprovider\providerpath
AttributeValue1starts_with 1B\:828
Certificate_Issuer_Name1eq 1*
Image1ends_with 1\secedit.exe
OriginalFileName1eq 1secedit
RemoteIPType1eq 1Public
ScriptBlockText1regex_match 1(copy-item|cpi) .{2,128} -destination...
Type1eq 1
dll.code_signature.trusted1ne 1true
event.type1eq 1change

Top indicator values (59 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
AttributeLDAPDisplayNameeq
msds-keycredentiallink
22
AttributeValuestarts_with
B\:828
1
Certificate_Issuer_Nameeq
*
1
CommandLinecontains
/cfg
12
CommandLinecontains
/configure
12
CommandLinecontains
/db
12
CommandLinecontains
/export
12
CommandLinecontains
hklm\system\currentcontrolset\control\lsa
1
CommandLinecontains
reg add
114
CommandLinestarts_with
scecli\0
1
Detailseq
DWORD (0x00000000)
140
Detailsin
0
13
Detailsin
0x00000000
12
Detailsstarts_with
?
1
EventIDeq
4103
1105
EventIDeq
4104
1268
EventIDeq
4688
1312
EventIDeq
4768
113
EventIDeq
4882
1
EventIDeq
4890
1
EventIDeq
4891
1
EventIDeq
4892
1
EventTypeeq
ConnectionSuccess
15
EventTypeeq
deleted
18
EventTypeeq
modified
16
EventTypein
FileCreated
13
EventTypein
FileModified
13
Imageends_with
\secedit.exe
1
OriginalFileNameeq
secedit
1
RemoteIPTypeeq
Public
13

Exclusions (15 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Detailseq
%SystemRoot%\System32\davclnt.dll
1
Detailseq
%SystemRoot%\System32\drprov.dll
1
Detailseq
%SystemRoot%\System32\ntlanman.dll
1
Detailseq
%SystemRoot%\System32\vmhgfs.dll
1
Detailseq
?:\Program Files (x86)\CheckPoint\Endpoint Connect\\epcgina.dll
1
Detailseq
?:\Program Files (x86)\Citrix\ICA Client\x64\pnsson.dll
1
Detailseq
?:\Program Files\Dell\SARemediation\agent\DellMgmtNP.dll
1
Detailseq
DWORD (0x00000000)
1
ImageLoadedstarts_with
?:\windows\assembly\nativeimages
1
ImageLoadedstarts_with
?:\windows\microsoft.net\
1
ImageLoadedstarts_with
?:\windows\system32\driverstore\filerepository\
1
ImageLoadedstarts_with
?:\windows\winsxs\
1
ObjectClasseq
msDS-Device
1
SubjectUserNamestarts_with
MSOL_
1
user.ideq
S-1-5-18
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 5 rules

Elastic 3 rules

Splunk 5 rules

Kusto 1 rule