T1556: T1556

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 20:01 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1556
Confidence: 100/100
Revoked: No
Published: 11/02/2020 20:01
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Modify Authentication Process

Platforms

windows macos linux Network Devices IaaS Office Suite Identity Provider SaaS

Description

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access
mitre-attack	defense-evasion
mitre-attack	persistence

Marking (TLP)

External references

Xorrior Authorization Plugins
Clymb3r Function Hook Passwords Sept 2013
TechNet Audit Policy
mitre-attack (T1556)
dump_pwd_dcsync
Dell Skeleton

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (17)

FIN13 uses Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5221 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
NullBulge related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–17 of 17

W32.File.MalParent uses

Family
VSingle uses
GREASE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Knight uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Spider Threat uses
WIREFIRE - S1115 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BianLian uses

Family
BEEFLUSH uses

Family
Rockstar 2FA uses
Medusa uses

The MITRE Corporation Confidence 100

[MEDUSA](https://attack.mitre.org/software/S1220) is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.(Citation: Google Cloud Mandiant UNC3886 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
WorkersDevBackdoor uses

Family

← Previous

Page / 6

1–12 of 67

WorkersDevBackdoor and MadMxShell converge in malvertising campaigns related

14 MITREs 2 Malwares 51 Observables
Uncovering Espionage Operations related

5 CVEs 14 MITREs 7 Malwares 39 Observables 1 APT
SmallTiger Malware Used in Attacks Against South Korean … related

20 MITREs 6 Malwares 19 Observables 1 APT
RansomHub: New Ransomware with Origins in Older Knight related

1 CVE 20 MITREs 4 Malwares 14 Observables 1 APT
LightSpy: Implant for macOS related

2 CVEs 9 MITREs 43 Observables
'Reptile Recon': Discovering CryptoChameleon fast flux IOFAs. Hundreds … related

12 MITREs 30 Observables
Technical Deep Dive: Understanding the Anatomy of a … related

13 MITREs 6 Malwares 4 Observables 1 APT
Threat Actors Hack YouTube Channels to Distribute Infostealers related

8 MITREs 2 Malwares 13 Observables

← Previous

Page / 2

13–20 of 20

Vulnerabilities (CVE) (51)

CVE-2025-46706 targets

8.7 High

When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed requests can cause an increase in memory resource …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2018-4233 targets

CVE-2023-20867 KEV targets

3.9 Low

VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail …

Attack vector: Local
Published: 23/06/2023
Modified: 21/12/2025

CVE-2023-4966 KEV targets

9.4 Critical

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …

Attack vector: Network
Published: 18/10/2023
Modified: 21/12/2025

CVE-2024-9379 KEV targets

6.5 Medium

Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can …

Attack vector: Network
Published: 09/10/2024
Modified: 21/12/2025

Analyzed

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2025-55669 targets

8.7 High

When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed traffic …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-54858 targets

8.7 High

When a BIG-IP Advanced WAF or BIG-IP ASM Security Policy is configured with a JSON content profile that has a malformed JSON …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2024-11477 targets

7.8 High

7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of …

Attack vector: LOCAL
Published: 22/11/2024
Modified: 21/12/2025

Analyzed

CVE-2025-61935 targets

8.7 High

When a BIG IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-57780 targets

8.5 High

A vulnerability exists in F5OS-A and F5OS-C system that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

Received

← Previous

Page / 5

13–24 of 51

T1556.001 subtechnique-of

Domain Controller Authentication MITRE
Network Device Authentication subtechnique-of

T1556.004 MITRE
Network Provider DLL subtechnique-of

MITRE
Multi-Factor Authentication subtechnique-of

MITRE
T1556.002 subtechnique-of

Password Filter DLL MITRE
Hybrid Identity subtechnique-of

MITRE
Conditional Access Policies subtechnique-of

MITRE
Pluggable Authentication Modules subtechnique-of

T1556.003 MITRE

Course Of Action (7)

Audit mitigates
Operating System Configuration mitigates
Restrict Registry Permissions mitigates
Restrict File and Directory Permissions mitigates
Multi-factor Authentication mitigates
Privileged Account Management mitigates
Privileged Process Integrity mitigates

Campaign (1)

ArcaneDoor uses

Tool (1)

SILENTTRINITY uses

The MITRE Corporation Confidence 100

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…

Contact About Legal notice Privacy policy Terms of use

T1556: T1556

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (17)

Malware (67)

Reports (20)

Vulnerabilities (CVE) (51)

Attack patterns (MITRE) (8)

Course Of Action (7)

Campaign (1)

Tool (1)