T1556: T1556

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1556
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Modify Authentication Process

Platforms

windows macos linux Network Devices IaaS Office Suite Identity Provider SaaS

Description

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access
mitre-attack	defense-evasion
mitre-attack	persistence

Marking (TLP)

External references

Xorrior Authorization Plugins
Clymb3r Function Hook Passwords Sept 2013
TechNet Audit Policy
mitre-attack (T1556)
dump_pwd_dcsync
Dell Skeleton

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (17)

FIN13 uses Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5221 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
NullBulge uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–17 of 17

W32.File.MalParent uses

Family
VSingle uses
GREASE uses
Knight uses

Family
Meterpreter uses

Family
Spider Threat uses
WIREFIRE - S1115 uses

Family
BianLian uses

Family
BEEFLUSH uses

Family
Rockstar 2FA uses
Medusa uses

Family
WorkersDevBackdoor uses

Family

← Previous

Page / 7

1–12 of 75

Technical Advisory: Breach of Instructure Canvas LMS related

20 MITREs 2 Observables 1 APT
Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns related

14 MITREs 1 Observable
Payroll pirate attacks targeting Canadian employees related

AlienVault Confidence 100 1 CVE 18 MITREs 2 IOCs 2 Observables 1 APT
Guidance for detecting, investigating, and defending against the … related

9 MITREs 1 Malware 2 Observables 1 APT
Unmasking the Shadow of PoisonPlug's Obfuscator related

20 MITREs 2 Malwares 2 Observables 1 APT
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service … related

7 CVEs 13 MITREs 28 Observables
Welcome to the party, pal! related

14 MITREs 6 Malwares 5 Observables
Infrastructure linking PandorahVNC and Mesh Central related

13 MITREs 5 Malwares 11 Observables 1 APT
Credential Flusher Research related

11 MITREs 1 Malware 8 Observables 1 APT
Profiling and Detecting Malicious DNS Traffic related

16 MITREs 5 Observables
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks related

15 MITREs 2 Malwares 64 Observables 1 APT
Threat Actor Masquerades as Hacktivist Group Rebelling Against … related

18 MITREs 3 Malwares 9 Observables 1 APT

← Previous

Page / 2

1–12 of 20

Vulnerabilities (CVE) (51)

CVE-2025-59781 targets

8.7 High

When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries can cause an increase in …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2023-34048 KEV targets

9.8 Critical

VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote …

Attack vector: Network
Published: 22/01/2024
Modified: 21/12/2025

CVE-2025-61938 targets

8.7 High

When a BIG-IP Advanced WAF or ASM security policy is configured with a URL greater than 1024 characters in length for the …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2018-4404 targets

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2025-48008 targets

8.7 High

When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed traffic along with conditions beyond the …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2022-22948 KEV targets

VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information.

Published: 17/07/2024
Modified: 21/12/2025

CVE-2025-58096 targets

8.2 High

When the database variable tm.tcpudptxchecksum is configured as non-default value Software-only on a BIG-IP system, undisclosed traffic can cause the Traffic Management …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-60016 targets

8.7 High

When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in an SSL profile's Cipher Rule or Cipher Group, and …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2025-58071 targets

8.7 High

When IPsec is configured on the BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

← Previous

Page / 5

1–12 of 51

T1556.001 subtechnique-of

Domain Controller Authentication MITRE
Network Device Authentication subtechnique-of

T1556.004 MITRE
Network Provider DLL subtechnique-of

MITRE
Multi-Factor Authentication subtechnique-of

MITRE
T1556.002 subtechnique-of

Password Filter DLL MITRE
Hybrid Identity subtechnique-of

MITRE
Conditional Access Policies subtechnique-of

MITRE
Pluggable Authentication Modules subtechnique-of

T1556.003 MITRE
Reversible Encryption subtechnique-of

MITRE

Course Of Action (9)

Audit mitigates
Operating System Configuration mitigates
Restrict Registry Permissions mitigates
Restrict File and Directory Permissions mitigates
Multi-factor Authentication mitigates
Privileged Account Management mitigates
Privileged Process Integrity mitigates
Password Policies mitigates
User Account Management mitigates

Campaign (1)

ArcaneDoor uses

Tool (1)

SILENTTRINITY uses

The MITRE Corporation Confidence 100

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…

Contact About Legal notice Privacy policy Terms of use

T1556: T1556

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (17)

Malware (75)

Reports (20)

Vulnerabilities (CVE) (51)

Attack patterns (MITRE) (9)

Course Of Action (9)

Campaign (1)

Tool (1)