T1556: T1556
Essential information
- MITRE technique ID
T1556- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 20:01
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Modify Authentication Process
Platforms
windows macos linux Network Devices IaaS Office Suite Identity Provider SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
| mitre-attack | defense-evasion |
| mitre-attack | persistence |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (17)
-
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Storm-2755 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-1575 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ShinyHunters usesAlienVault Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
All_father usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC3886 usesThe MITRE Corporation Confidence 100
[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salt Typhoon usesThe MITRE Corporation Confidence 100
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Kimsuky and Andariel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UTA0218 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Amadey usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (67)
-
W32.File.MalParent usesFamily
-
VSingle uses
-
GREASE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Knight usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Meterpreter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Spider Threat uses
-
WIREFIRE - S1115 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BianLian usesFamily
-
BEEFLUSH usesFamily
-
Rockstar 2FA uses
-
Medusa usesThe MITRE Corporation Confidence 100
[MEDUSA](https://attack.mitre.org/software/S1220) is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.(Citation: Google Cloud Mandiant UNC3886 2024)
First seen 01/01/1970 · Last seen 16/11/5138 · -
WorkersDevBackdoor usesFamily
Reports (20)
-
14 MITREs 2 Malwares 51 Observables
-
Uncovering Espionage Operations related5 CVEs 14 MITREs 7 Malwares 39 Observables 1 APT
-
20 MITREs 6 Malwares 19 Observables 1 APT
-
1 CVE 20 MITREs 4 Malwares 14 Observables 1 APT
-
LightSpy: Implant for macOS related2 CVEs 9 MITREs 43 Observables
-
12 MITREs 30 Observables
-
13 MITREs 6 Malwares 4 Observables 1 APT
-
8 MITREs 2 Malwares 13 Observables
Vulnerabilities (CVE) (51)
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …
- Attack vector
- Network
- Published
- 19/09/2024
- Modified
- 21/12/2025
When HTTP/2 Ingress is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions …
- Attack vector
- Network
- Complexity
- Low
- Published
- 15/10/2025
- Modified
- 04/04/2026
Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …
- Attack vector
- Network
- Published
- 23/10/2023
- Modified
- 21/12/2025
Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …
- Attack vector
- NETWORK
- Published
- 03/11/2021
- Modified
- 14/01/2026
When BIG-IP SSL Orchestrator is enabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
When a virtual server, network address translation (NAT) object, or secure network address translation (SNAT) object uses the embedded Packet Velocity Acceleration …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance …
- Attack vector
- Network
- Published
- 15/10/2025
- Modified
- 04/02/2026
When a BIG-IP APM OAuth access profile (Resource Server or Resource Client) is configured on a virtual server, undisclosed traffic can cause …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A …
- Attack vector
- LOCAL
- Published
- 15/10/2025
- Modified
- 21/12/2025
Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …
- Attack vector
- Local
- Published
- 14/03/2023
- Modified
- 21/12/2025
When an iRule using an ILX::call command is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
Attack patterns (MITRE) (8)
-
T1556.001 subtechnique-ofDomain Controller Authentication MITRE
-
Network Device Authentication subtechnique-ofT1556.004 MITRE
-
Network Provider DLL subtechnique-of
-
Multi-Factor Authentication subtechnique-of
-
T1556.002 subtechnique-ofPassword Filter DLL MITRE
-
Hybrid Identity subtechnique-of
-
Conditional Access Policies subtechnique-of
-
Pluggable Authentication Modules subtechnique-ofT1556.003 MITRE
Course Of Action (7)
-
Audit mitigates
-
Operating System Configuration mitigates
-
Restrict Registry Permissions mitigates
-
Restrict File and Directory Permissions mitigates
-
Multi-factor Authentication mitigates
-
Privileged Account Management mitigates
-
Privileged Process Integrity mitigates
Campaign (1)
-
ArcaneDoor uses
Tool (1)
-
SILENTTRINITY usesThe MITRE Corporation Confidence 100
[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…