T1556: T1556

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1556
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Modify Authentication Process

Platforms

windows macos linux Network Devices IaaS Office Suite Identity Provider SaaS

Description

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access
mitre-attack	defense-evasion
mitre-attack	persistence

Marking (TLP)

External references

Xorrior Authorization Plugins
Clymb3r Function Hook Passwords Sept 2013
TechNet Audit Policy
mitre-attack (T1556)
dump_pwd_dcsync
Dell Skeleton

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (17)

TeamPCP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-2755 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1575 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ShinyHunters uses

AlienVault Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
All_father uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC3886 uses

The MITRE Corporation Confidence 100

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky and Andariel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UTA0218 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Amadey uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 17

W32.File.MalParent uses

Family
VSingle uses
GREASE uses
Knight uses

Family
Meterpreter uses

Family
Spider Threat uses
WIREFIRE - S1115 uses

Family
BianLian uses

Family
BEEFLUSH uses

Family
Rockstar 2FA uses
Medusa uses

Family
WorkersDevBackdoor uses

Family

← Previous

Page / 7

1–12 of 75

Technical Advisory: Breach of Instructure Canvas LMS related

20 MITREs 2 Observables 1 APT
Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns related

14 MITREs 1 Observable
Payroll pirate attacks targeting Canadian employees related

AlienVault Confidence 100 1 CVE 18 MITREs 2 IOCs 2 Observables 1 APT
Guidance for detecting, investigating, and defending against the … related

9 MITREs 1 Malware 2 Observables 1 APT
Unmasking the Shadow of PoisonPlug's Obfuscator related

20 MITREs 2 Malwares 2 Observables 1 APT
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service … related

7 CVEs 13 MITREs 28 Observables
Welcome to the party, pal! related

14 MITREs 6 Malwares 5 Observables
Infrastructure linking PandorahVNC and Mesh Central related

13 MITREs 5 Malwares 11 Observables 1 APT
Credential Flusher Research related

11 MITREs 1 Malware 8 Observables 1 APT
Profiling and Detecting Malicious DNS Traffic related

16 MITREs 5 Observables
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks related

15 MITREs 2 Malwares 64 Observables 1 APT
Threat Actor Masquerades as Hacktivist Group Rebelling Against … related

18 MITREs 3 Malwares 9 Observables 1 APT

← Previous

Page / 2

1–12 of 20

Vulnerabilities (CVE) (51)

CVE-2025-46706 targets

8.7 High

When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed requests can cause an increase in memory resource …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2018-4233 targets

CVE-2023-20867 KEV targets

3.9 Low

VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail …

Attack vector: Local
Published: 23/06/2023
Modified: 21/12/2025

CVE-2023-4966 KEV targets

9.4 Critical

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …

Attack vector: Network
Published: 18/10/2023
Modified: 21/12/2025

CVE-2024-9379 KEV targets

6.5 Medium

Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can …

Attack vector: Network
Published: 09/10/2024
Modified: 21/12/2025

Analyzed

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2025-55669 targets

8.7 High

When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed traffic …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-54858 targets

8.7 High

When a BIG-IP Advanced WAF or BIG-IP ASM Security Policy is configured with a JSON content profile that has a malformed JSON …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2024-11477 targets

7.8 High

7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of …

Attack vector: LOCAL
Published: 22/11/2024
Modified: 21/12/2025

Analyzed

CVE-2025-61935 targets

8.7 High

When a BIG IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd …

Attack vector: NETWORK
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-57780 targets

8.5 High

A vulnerability exists in F5OS-A and F5OS-C system that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

Received

← Previous

Page / 5

13–24 of 51

T1556.001 subtechnique-of

Domain Controller Authentication MITRE
Network Device Authentication subtechnique-of

T1556.004 MITRE
Network Provider DLL subtechnique-of

MITRE
Multi-Factor Authentication subtechnique-of

MITRE
T1556.002 subtechnique-of

Password Filter DLL MITRE
Hybrid Identity subtechnique-of

MITRE
Conditional Access Policies subtechnique-of

MITRE
Pluggable Authentication Modules subtechnique-of

T1556.003 MITRE
Reversible Encryption subtechnique-of

MITRE

Course Of Action (9)

Audit mitigates
Operating System Configuration mitigates
Restrict Registry Permissions mitigates
Restrict File and Directory Permissions mitigates
Multi-factor Authentication mitigates
Privileged Account Management mitigates
Privileged Process Integrity mitigates
Password Policies mitigates
User Account Management mitigates

Campaign (1)

ArcaneDoor uses

Tool (1)

SILENTTRINITY uses

The MITRE Corporation Confidence 100

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…

Contact About Legal notice Privacy policy Terms of use

T1556: T1556

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (17)

Malware (75)

Reports (20)

Vulnerabilities (CVE) (51)

Attack patterns (MITRE) (9)

Course Of Action (9)

Campaign (1)

Tool (1)