Modify Authentication Process T1556
Tactics: Defense Impairment, Persistence, Credential Access
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.
Events covered
18 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 154 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (174 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (752 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (289 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 20 rules
- AWS Identity Center Identity Provider Change
- Azure AD Only Single Factor Authentication Required
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Certificate-Based Authentication Enabled
- Change to Authentication Method
- Cisco Dot1x Disabled
- Directory Service Restore Mode(DSRM) Registry Value Tampering
- Disabled MFA to Bypass Authentication Mechanisms
- Disabling Multi Factor Authentication
- Dropping Of Password Filter DLL
- Github High Risk Configuration Disabled
- macOS Configuration Profile Installation
- New Root Certificate Authority Added
- Okta MFA Reset or Deactivated
- Possible Shadow Credentials Added
- Potential Suspicious Activity Using SeCEdit
- Powershell Install a DLL in System Directory
- User Added To Group With CA Policy Modification Access
- User Removed From Group With CA Policy Modification Access
Elastic 42 rules
- Attempt to Deactivate an Okta Policy
- Attempt to Deactivate an Okta Policy Rule
- Attempt to Delete an Okta Policy
- Attempt to Modify an Okta Policy
- Attempt to Reset MFA Factors for an Okta User Account
- Authentication via Unusual PAM Grantor
- Authorization Plugin Modification
- AWS IAM Deactivation of MFA Device
- AWS IAM Roles Anywhere Trust Anchor Created with External CA
- AWS IAM Virtual MFA Device Registration Attempt with Session Token
- AWS RDS DB Instance Made Public
- AWS STS AssumeRole with New MFA Device
- Entra ID Conditional Access Policy (CAP) Modified
- Entra ID Domain Federation Configuration Change
- Entra ID External Authentication Methods (EAM) Modified
- Entra ID MFA Disabled for User
- Entra ID Protection - Risk Detection - Sign-in Risk
- Entra ID Protection - Risk Detection - User Risk
- Entra ID User Sign-in with Unusual Authentication Type
- Google Workspace 2SV Policy Disabled
- Google Workspace MFA Enforcement Disabled
- MFA Deactivation with no Re-Activation for Okta User Account
- MFA Disabled for Google Workspace Organization
- Mimikatz Memssp Log File Detected
- Modification or Removal of an Okta Application Sign-On Policy
- Network Logon Provider Registry Modification
- New Okta Identity Provider (IdP) Added by Admin
- Pluggable Authentication Module (PAM) Creation in Unusual Directory
- Pluggable Authentication Module (PAM) Source Download
- Pluggable Authentication Module (PAM) Version Discovery
- Pluggable Authentication Module or Configuration Creation
- Polkit Policy Creation
- Potential Backdoor Execution Through PAM_EXEC
- Potential Execution via SSH Backdoor
- Potential OpenSSH Backdoor Logging Activity
- Potential Persistence via File Modification
- Potential Shadow Credentials added to AD Object
- Potential SSH Password Grabbing via strace
- Renaming of OpenSSH Binaries
- Stolen Credentials Used to Login to Okta Account After MFA Reset
- Untrusted DLL Loaded by Azure AD Connect Authentication Agent
- Unusual Process Modifying GenAI Configuration File
Splunk 35 rules
- ASL AWS Multi-Factor Authentication Disabled
- ASL AWS New MFA Method Registered For User
- AWS Multi-Factor Authentication Disabled
- AWS New MFA Method Registered For User
- Azure AD Multi-Factor Authentication Disabled
- Azure AD New MFA Method Registered For User
- Cisco ASA - AAA Policy Tampering
- Cisco Duo Admin Login Unusual Browser
- Cisco Duo Admin Login Unusual Country
- Cisco Duo Admin Login Unusual Os
- Cisco Duo Bulk Policy Deletion
- Cisco Duo Bypass Code Generation
- Cisco Duo Policy Allow Devices Without Screen Lock
- Cisco Duo Policy Allow Network Bypass 2FA
- Cisco Duo Policy Allow Old Flash
- Cisco Duo Policy Allow Old Java
- Cisco Duo Policy Allow Tampered Devices
- Cisco Duo Policy Bypass 2FA
- Cisco Duo Policy Deny Access
- Cisco Duo Policy Skip 2FA for Other Countries
- Cisco Duo Set User Status to Bypass 2FA
- Cisco Network Interface Modifications
- Disabling Windows Local Security Authority Defences via Registry
- GCP Multi-Factor Authentication Disabled
- O365 Disable MFA
- O365 Excessive SSO logon errors
- Okta Multi-Factor Authentication Disabled
- Okta Phishing Detection with FastPass Origin Check
- PingID Mismatch Auth Source and Verification Response
- PingID New MFA Method After Credential Reset
- PingID New MFA Method Registered For User
- Potential LSA password filter (PowerShell)
- Potential LSA password filter (Windows Event Log)
- Suspicious Certificate Authentication (Windows Event Log)
- Suspicious Certificate Modification (Windows Event Log)
Kusto 21 rules
- AWS Security Hub - Detect root user lacking MFA
- Azure secure score block legacy authentication
- BTP - Cloud Identity Service application configuration monitor
- BTP - Trust and authorization Identity Provider monitor
- Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
- Detect changes to Connect Sync Application
- Detect credential add to Connect Sync Application
- Detect suspicious conditional access policy modifications
- Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
- External User Access Enabled
- F&O - Bank account change following network alias reassignment
- F&O - Non-interactive account mapped to self or sensitive privileged user
- GitLab - Repository visibility to Public
- Keeper Security - Password Changed
- Keeper Security - User MFA Changed
- Multi-Factor Authentication Disabled for a User
- New Device/Location sign-in along with critical operation
- Red Sift - MFA disabled on account
- Rouge RDP: Suspicious File Creation
- Suspicious Sign In Followed by MFA Modification
- VMware ESXi - Root password changed
YARA-L 5 rules
- AWS MultiFactor Authentication Disabled
- AWS New MFA Method Registered For User
- Google Workspace MFA Disabled
- Okta User Password and MFA Factor Reset or Deactivated
- OneLogin User Authentication Factor Removed
Panther 31 rules
- AppOmni Alert Passthrough
- Azure Authentication Methods Policy OIDC Discovery URL Changed
- Azure Domain Federation Settings Modified
- Azure MFA Disabled
- Crowdstrike IP Allowlist Changed
- Crowdstrike Single IP Allowlisted
- Databricks MFA Key Change
- Databricks SSO Configuration Changed
- GCP Org or Folder Policy Was Changed Manually
- GSuite User Two Step Verification Change
- MFA Disabled
- Microsoft365 MFA Disabled
- MongoDB access allowed from anywhere
- MongoDB Identity Provider Activity
- MongoDB org membership restriction disabled
- Okta AiTM Phishing Attempt Blocked by FastPass
- Okta Authentication Bypass via Skeleton Key Injection - Behavioral
- Okta Cleartext Passwords Extracted via SCIM Application
- Okta Identity Provider Created or Modified
- Okta MFA Globally Disabled
- Okta Org2Org application created of modified
- Okta Sign-In from VPN Anonymizer
- OneLogin Authentication Factor Removed
- Slack IDP Configuration Changed
- Slack MFA Settings Changed
- Slack SSO Settings Changed
- Snowflake Login Without MFA
- Snowflake Login Without MFA
- Wiz Update IP Restrictions
- Wiz Update Login Settings
- ZIA Insecure Password Settings