Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Defense Evasion/ T1556

T1556Modify Authentication Process

T1556 — Modify Authentication Process is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 49 detection use cases covering it and 8 threat-intel articles citing it.

Defense EvasionPersistenceCredential Access
View on the matrix → Filter Detection Library MITRE official spec ↗
49Use cases
8Articles
9Sub-techniques
3Tactics

Sub-techniques (9)

T1556.009 · Conditional Access PoliciesT1556.001 · Domain Controller AuthenticationT1556.007 · Hybrid IdentityT1556.006 · Multi-Factor AuthenticationT1556.004 · Network Device AuthenticationT1556.008 · Network Provider DLLT1556.002 · Password Filter DLLT1556.003 · Pluggable Authentication ModulesT1556.005 · Reversible Encryption

Use cases covering this technique (49)

JWT authentication bypass attempt Internal delivery · alerting DD Auth0 breached-password detection disabled Internal install · alerting DD Auth0 brute-force protection disabled Internal install · alerting DD Auth0 suspicious-IP throttling disabled Internal install · alerting DD Azure AD MFA disabled for a user Internal install · alerting DD Confluence global security setting changed Internal install · alerting DD Datadog organization login method changed Internal install · alerting DD Cisco Duo emergency bypass code created Internal install · alerting DD GitHub organization 2FA requirement removed Internal install · alerting DD GitHub SAML/OIDC SSO disabled Internal install · alerting DD GitLab user MFA disabled Internal install · alerting DD GitLab password reset from suspicious IP Internal delivery · alerting DD GitLab SSO disabled Internal install · alerting DD Google Workspace admin disabled 2SV for OU Internal install · alerting DD Google Workspace user disabled 2SV on own account Internal install · alerting DD M365 MFA disabled for a user Internal install · alerting DD MongoDB authentication disabled Internal install · alerting DD Okta authentication / sign-on policy modified Internal install · alerting DD Okta MFA bypass attempt Internal delivery · alerting DD PostgreSQL authentication method modified Internal install · alerting DD [WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes Internal exploit · alerting DSPDDCW Cisco Duo Admin Login Unusual Browser ESCU actions · alerting P Cisco Duo Admin Login Unusual Country ESCU actions · alerting P Cisco Duo Admin Login Unusual Os ESCU actions · alerting P Cisco Duo Bulk Policy Deletion ESCU actions · alerting P Cisco Duo Bypass Code Generation ESCU actions · alerting P Cisco Duo Policy Allow Devices Without Screen Lock ESCU actions · alerting P Cisco Duo Policy Allow Network Bypass 2FA ESCU actions · alerting P Cisco Duo Policy Allow Old Flash ESCU actions · alerting P Cisco Duo Policy Allow Old Java ESCU actions · alerting P Cisco Duo Policy Allow Tampered Devices ESCU actions · alerting P Cisco Duo Policy Bypass 2FA ESCU actions · alerting P Cisco Duo Policy Deny Access ESCU actions · alerting P Cisco Duo Policy Skip 2FA for Other Countries ESCU actions · alerting P Cisco Duo Set User Status to Bypass 2FA ESCU actions · alerting P Okta Phishing Detection with FastPass Origin Check ESCU actions · alerting P O365 Disable MFA ESCU actions · alerting P O365 Excessive SSO logon errors ESCU actions · hunting P Disabling Windows Local Security Authority Defences via Registry ESCU actions · alerting P Cisco Network Interface Modifications ESCU actions · hunting P [LLM] Velvet Ant PAM backdoor — unauthorized pam_unix.so / PAM module modification on Linux Bespoke install · alerting DSΣPDDCS [LLM] Velvet Ant trojanized OpenSSH — unauthorized sshd/ssh/scp binary replacement Bespoke install · alerting DSΣPDDCS [LLM] Unauthorized modification of OpenSSH sshd or ssh client binary Bespoke install · alerting DSΣPDDCS [LLM] pfSense / firewall config change enabling Web SSL VPN after admin login Bespoke install · hunting SPDD [LLM] praisonai-platform: identity-swap chain — owner grant followed by login from the granted account Bespoke actions · hunting DSPDD [LLM] Shadow Credentials: msDS-KeyCredentialLink attribute modification Bespoke install · alerting DSΣPDDCS [LLM] Qinglong CVE-2026-3965 auth bypass via /open/user/init credential reset Bespoke exploit · alerting DSΣPDDCS [LLM] DNS / outbound connection to npnjs[.]com phishing infrastructure Bespoke delivery · alerting DSΣPDD [LLM] Next.js CVE-2025-29927 middleware bypass via x-middleware-subrequest header Bespoke exploit · alerting DSΣPDDCS

Articles citing this technique (8)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit [GHSA / CRITICAL] CVE-2026-47413: praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members art-155
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
high Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining art-353
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
high CVE-2025-29927 Authorization Bypass in Next.js Middleware art-948