T1556: T1556

Search IOCs, vulnerabilities, APT…

216.73.216.82

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1556
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Modify Authentication Process

Platforms

windows macos linux Network Devices IaaS Office Suite Identity Provider SaaS

Description

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access
mitre-attack	defense-evasion
mitre-attack	persistence

Marking (TLP)

External references

Xorrior Authorization Plugins
Clymb3r Function Hook Passwords Sept 2013
TechNet Audit Policy
mitre-attack (T1556)
dump_pwd_dcsync
Dell Skeleton

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (17)

TeamPCP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-2755 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1575 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ShinyHunters uses

AlienVault Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
All_father uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC3886 uses

The MITRE Corporation Confidence 100

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky and Andariel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UTA0218 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Amadey uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 17

W32.File.MalParent uses

Family
VSingle uses
GREASE uses
Knight uses

Family
Meterpreter uses

Family
Spider Threat uses
WIREFIRE - S1115 uses

Family
BianLian uses

Family
BEEFLUSH uses

Family
Rockstar 2FA uses
Medusa uses

Family
WorkersDevBackdoor uses

Family

← Previous

Page / 7

1–12 of 75

WorkersDevBackdoor and MadMxShell converge in malvertising campaigns related

14 MITREs 2 Malwares 51 Observables
Uncovering Espionage Operations related

5 CVEs 14 MITREs 7 Malwares 39 Observables 1 APT
SmallTiger Malware Used in Attacks Against South Korean … related

20 MITREs 6 Malwares 19 Observables 1 APT
RansomHub: New Ransomware with Origins in Older Knight related

1 CVE 20 MITREs 4 Malwares 14 Observables 1 APT
LightSpy: Implant for macOS related

2 CVEs 9 MITREs 43 Observables
'Reptile Recon': Discovering CryptoChameleon fast flux IOFAs. Hundreds … related

12 MITREs 30 Observables
Technical Deep Dive: Understanding the Anatomy of a … related

13 MITREs 6 Malwares 4 Observables 1 APT
Threat Actors Hack YouTube Channels to Distribute Infostealers related

8 MITREs 2 Malwares 13 Observables

← Previous

Page / 2

13–20 of 20

Vulnerabilities (CVE) (51)

CVE-2025-59781 targets

8.7 High

When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries can cause an increase in …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2023-34048 KEV targets

9.8 Critical

VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote …

Attack vector: Network
Published: 22/01/2024
Modified: 21/12/2025

CVE-2025-61938 targets

8.7 High

When a BIG-IP Advanced WAF or ASM security policy is configured with a URL greater than 1024 characters in length for the …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2018-4404 targets

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2025-48008 targets

8.7 High

When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed traffic along with conditions beyond the …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2022-22948 KEV targets

VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information.

Published: 17/07/2024
Modified: 21/12/2025

CVE-2025-58096 targets

8.2 High

When the database variable tm.tcpudptxchecksum is configured as non-default value Software-only on a BIG-IP system, undisclosed traffic can cause the Traffic Management …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-60016 targets

8.7 High

When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in an SSL profile's Cipher Rule or Cipher Group, and …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2025-58071 targets

8.7 High

When IPsec is configured on the BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

← Previous

Page / 5

1–12 of 51

T1556.001 subtechnique-of

Domain Controller Authentication MITRE
Network Device Authentication subtechnique-of

T1556.004 MITRE
Network Provider DLL subtechnique-of

MITRE
Multi-Factor Authentication subtechnique-of

MITRE
T1556.002 subtechnique-of

Password Filter DLL MITRE
Hybrid Identity subtechnique-of

MITRE
Conditional Access Policies subtechnique-of

MITRE
Pluggable Authentication Modules subtechnique-of

T1556.003 MITRE
Reversible Encryption subtechnique-of

MITRE

Course Of Action (9)

Audit mitigates
Operating System Configuration mitigates
Restrict Registry Permissions mitigates
Restrict File and Directory Permissions mitigates
Multi-factor Authentication mitigates
Privileged Account Management mitigates
Privileged Process Integrity mitigates
Password Policies mitigates
User Account Management mitigates

Campaign (1)

ArcaneDoor uses

Tool (1)

SILENTTRINITY uses

The MITRE Corporation Confidence 100

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…

Contact About Legal notice Privacy policy Terms of use

T1556: T1556

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (17)

Malware (75)

Reports (20)

Vulnerabilities (CVE) (51)

Attack patterns (MITRE) (9)

Course Of Action (9)

Campaign (1)

Tool (1)