T1556: T1556
Essential information
- MITRE technique ID
T1556- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 20:01
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Modify Authentication Process
Platforms
windows macos linux Network Devices IaaS Office Suite Identity Provider SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
| mitre-attack | defense-evasion |
| mitre-attack | persistence |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (17)
-
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Storm-2755 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-1575 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ShinyHunters usesAlienVault Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
All_father usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC3886 usesThe MITRE Corporation Confidence 100
[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salt Typhoon usesThe MITRE Corporation Confidence 100
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Kimsuky and Andariel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UTA0218 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Amadey usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (67)
-
W32.File.MalParent usesFamily
-
VSingle uses
-
GREASE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Knight usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Meterpreter usesFamily
-
Spider Threat uses
-
WIREFIRE - S1115 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BianLian usesFamily
-
BEEFLUSH usesFamily
-
Rockstar 2FA uses
-
Medusa usesThe MITRE Corporation Confidence 100
[MEDUSA](https://attack.mitre.org/software/S1220) is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.(Citation: Google Cloud Mandiant UNC3886 2024)
First seen 01/01/1970 · Last seen 16/11/5138 · -
WorkersDevBackdoor usesFamily
Reports (20)
-
20 MITREs 2 Observables 1 APT
-
14 MITREs 1 Observable
-
AlienVault Confidence 100 1 CVE 18 MITREs 2 IOCs 2 Observables 1 APT
-
9 MITREs 1 Malware 2 Observables 1 APT
-
20 MITREs 2 Malwares 2 Observables 1 APT
-
7 CVEs 13 MITREs 28 Observables
-
Welcome to the party, pal! related14 MITREs 6 Malwares 5 Observables
-
13 MITREs 5 Malwares 11 Observables 1 APT
-
Credential Flusher Research related11 MITREs 1 Malware 8 Observables 1 APT
-
16 MITREs 5 Observables
-
15 MITREs 2 Malwares 64 Observables 1 APT
-
18 MITREs 3 Malwares 9 Observables 1 APT
Vulnerabilities (CVE) (51)
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …
- Attack vector
- Network
- Published
- 08/01/2025
- Modified
- 21/12/2025
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to …
- Attack vector
- Network
- Published
- 13/09/2024
- Modified
- 21/12/2025
When a per-request policy is configured on a BIG-IP APM portal access virtual server, undisclosed traffic can cause the Traffic Management Microkernel …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
When BIG-IP SSL Orchestrator explicit forward proxy is configured on a virtual server and the proxy connect feature is enabled, undisclosed traffic …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
Undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. This issue may occur when a Datagram Transport Layer Security (DTLS) …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with …
- Attack vector
- Network
- Published
- 09/10/2024
- Modified
- 21/12/2025
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
- Attack vector
- NETWORK
- Published
- 08/10/2024
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
When a client SSL profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: …
- Attack vector
- NETWORK
- Published
- 15/10/2025
- Modified
- 21/12/2025
Attack patterns (MITRE) (8)
-
T1556.001 subtechnique-ofDomain Controller Authentication MITRE
-
Network Device Authentication subtechnique-ofT1556.004 MITRE
-
Network Provider DLL subtechnique-of
-
Multi-Factor Authentication subtechnique-of
-
T1556.002 subtechnique-ofPassword Filter DLL MITRE
-
Hybrid Identity subtechnique-of
-
Conditional Access Policies subtechnique-of
-
Pluggable Authentication Modules subtechnique-ofT1556.003 MITRE
Course Of Action (7)
-
Audit mitigates
-
Operating System Configuration mitigates
-
Restrict Registry Permissions mitigates
-
Restrict File and Directory Permissions mitigates
-
Multi-factor Authentication mitigates
-
Privileged Account Management mitigates
-
Privileged Process Integrity mitigates
Campaign (1)
-
ArcaneDoor uses
Tool (1)
-
SILENTTRINITY usesThe MITRE Corporation Confidence 100
[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…