T1556

Modify Authentication Process

Credential Access Defense Evasion Persistence

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on macOS systems. By modifying an authentication process, an adversary may authenticate to a service or system without using valid accounts, or may passively harvest credentials as users authenticate. Techniques include registering malicious password filter DLLs that receive plaintext passwords during every password change, injecting security support providers (SSPs) into LSASS to intercept credentials, installing skeleton keys to accept any password for domain accounts, modifying PAM stack configuration files to permit unauthorized access, and replacing legitimate authentication binaries with trojanized versions that exfiltrate credentials.

Microsoft Sentinel / Defender

kusto

// T1556: Modify Authentication Process
// Detects modifications to Windows LSA authentication registry keys used to register
// password filter DLLs, SSPs, auth packages, network providers, and GINA DLLs.
// These are the primary persistence paths for credential interception malware
// such as skeleton key (Secureworks), Ebury, Kessel, and SILENTTRINITY.
let LsaRegistryPaths = dynamic([
    "CurrentControlSet\\Control\\Lsa\\Notification Packages",
    "CurrentControlSet\\Control\\Lsa\\Security Packages",
    "CurrentControlSet\\Control\\Lsa\\Authentication Packages",
    "CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages",
    "CurrentControlSet\\Control\\NetworkProvider\\Order",
    "CurrentVersion\\Winlogon\\GinaDLL",
    "CurrentVersion\\Authentication\\Credential Providers"
]);
let TrustedModifiers = dynamic([
    "TrustedInstaller.exe", "MsMpEng.exe", "msiexec.exe",
    "wuauclt.exe", "WindowsUpdateAgent.exe", "svchost.exe"
]);
let LsaLoadEvents = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "lsass.exe"
| where not(FileName in~ (
    "ntdll.dll", "kernel32.dll", "kernelbase.dll", "msvcrt.dll",
    "kerberos.dll", "msv1_0.dll", "wdigest.dll", "tspkg.dll",
    "pku2u.dll", "cloudap.dll", "schannel.dll", "cryptdll.dll",
    "samsrv.dll", "lsasrv.dll", "netlogon.dll", "ntlmshared.dll"
))
| extend DetectionSource = "LsassUnexpectedDllLoad"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          DetectionType = "Unexpected DLL Load by LSASS",
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          DllName = FileName, DllPath = FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
let RegistryMods = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (LsaRegistryPaths)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where not(InitiatingProcessFileName has_any (TrustedModifiers))
| extend DetectionType = case(
    RegistryKey has "Notification Packages", "Password Filter DLL Registration",
    RegistryKey has "Security Packages" and not (RegistryKey has "OSConfig"), "Security Support Provider (SSP) Registration",
    RegistryKey has "Authentication Packages", "Authentication Package Registration",
    RegistryKey has "NetworkProvider", "Network Provider DLL Registration",
    RegistryKey has "GinaDLL", "GINA DLL Modification",
    RegistryKey has "Credential Providers", "Credential Provider Registration",
    "LSA Authentication Configuration Modification"
)
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey, RegistryValueName, RegistryValueData,
          DllName = "", DllPath = "", SHA256 = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine;
RegistryMods
| union LsaLoadEvents
| extend IsDomainController = DeviceName has_any ("DC", "PDC", "BDC", "RODC")
| sort by Timestamp desc

critical severity high confidence

Data Sources

Registry: Registry Key Modification Module: Module Load Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceImageLoadEvents

False Positives

Legitimate MFA solutions (Duo Security, Okta Verify, RSA SecurID) that install custom credential provider DLLs during initial setup — filter by InitiatingProcessFileName = msiexec.exe and correlate with change management tickets
Enterprise privileged access management tools (CyberArk, BeyondTrust, Centrify) that register authentication packages — build an allowlist of their specific DLL names
Windows Defender Credential Guard enabling LSA protection, which modifies LSA configuration keys — these changes come from svchost.exe or TrustedInstaller
Third-party VPN clients and smart card middleware that install network provider DLLs or credential providers as part of software installation
Password manager enterprise editions (LastPass Enterprise, 1Password Business) installing Windows credential provider extensions

Splunk

spl

index=wineventlog (
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=13 OR EventCode=7))
    OR (sourcetype="WinEventLog:Security" (EventCode=4657 OR EventCode=4614 OR EventCode=4610))
)
| eval TargetPath=coalesce(TargetObject, ObjectName)
| eval InitProcess=coalesce(Image, ProcessName)
| eval LoadedImage=coalesce(ImageLoaded, "")
| eval User=coalesce(User, SubjectUserName)
```
-- Branch 1: Sysmon Registry Value Set (EventCode=13) on LSA keys
```
| eval IsAuthRegistryMod=if(
    EventCode=13 AND (
        like(TargetPath, "%\\Control\\Lsa\\Notification Packages%") OR
        like(TargetPath, "%\\Control\\Lsa\\Security Packages%") OR
        like(TargetPath, "%\\Control\\Lsa\\Authentication Packages%") OR
        like(TargetPath, "%\\Control\\NetworkProvider\\Order%") OR
        like(TargetPath, "%\\Winlogon\\GinaDLL%") OR
        like(TargetPath, "%\\Authentication\\Credential Providers%")
    ), 1, 0)
```
-- Branch 2: Windows Security audit of notification/auth package loading
```
| eval IsAuthPackageLoad=if(
    (EventCode=4614 OR EventCode=4610),
    1, 0)
```
-- Branch 3: Sysmon Image Load (EventCode=7) by lsass for unexpected DLLs
```
| eval IsLsassLoad=if(
    EventCode=7 AND like(InitProcess, "%lsass.exe") AND NOT (
        like(LoadedImage, "%\\ntdll.dll") OR like(LoadedImage, "%\\kernel32.dll") OR
        like(LoadedImage, "%\\kerberos.dll") OR like(LoadedImage, "%\\msv1_0.dll") OR
        like(LoadedImage, "%\\wdigest.dll") OR like(LoadedImage, "%\\tspkg.dll") OR
        like(LoadedImage, "%\\pku2u.dll") OR like(LoadedImage, "%\\lsasrv.dll") OR
        like(LoadedImage, "%\\samsrv.dll") OR like(LoadedImage, "%\\netlogon.dll") OR
        like(LoadedImage, "%\\schannel.dll") OR like(LoadedImage, "%\\cloudap.dll")
    ), 1, 0)
| where IsAuthRegistryMod=1 OR IsAuthPackageLoad=1 OR IsLsassLoad=1
| where NOT (like(InitProcess, "%TrustedInstaller.exe") OR like(InitProcess, "%MsMpEng.exe") OR like(InitProcess, "%msiexec.exe") OR like(InitProcess, "%wuauclt.exe"))
| eval DetectionType=case(
    IsLsassLoad=1, "Unexpected DLL Load by LSASS",
    IsAuthPackageLoad=1, "Authentication Package Loaded by SAM/LSA",
    like(TargetPath, "%Notification Packages%"), "Password Filter DLL Registration",
    like(TargetPath, "%Security Packages%"), "SSP Registration",
    like(TargetPath, "%Authentication Packages%"), "Authentication Package Registration",
    like(TargetPath, "%NetworkProvider%"), "Network Provider DLL Registration",
    like(TargetPath, "%GinaDLL%"), "GINA DLL Modification",
    true(), "LSA Authentication Modification"
)
| eval Severity=case(
    DetectionType="Password Filter DLL Registration", "Critical",
    DetectionType="SSP Registration", "Critical",
    DetectionType="GINA DLL Modification", "Critical",
    DetectionType="Unexpected DLL Load by LSASS", "High",
    true(), "High"
)
| table _time, host, User, DetectionType, Severity, TargetPath, Details, LoadedImage, InitProcess, CommandLine
| sort - _time

critical severity high confidence

Data Sources

Registry: Registry Key Modification Module: Module Load Sysmon Event ID 13 Sysmon Event ID 7 Windows Security Event ID 4610 Windows Security Event ID 4614 Windows Security Event ID 4657

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate MFA and PAM solutions registering credential providers during software installation
Enterprise identity platforms (CyberArk EPM, BeyondTrust) installing authentication packages
Smart card middleware and PIV/CAC reader software registering PKCS#11 authentication modules
Windows Defender Credential Guard configuration changes — correlate with known patch cycles and change tickets

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "registry" and
    event.type in ("change", "creation") and
    registry.path : (
      "*\\Control\\Lsa\\Notification Packages*",
      "*\\Control\\Lsa\\Security Packages*",
      "*\\Control\\Lsa\\Authentication Packages*",
      "*\\Control\\Lsa\\OSConfig\\Security Packages*",
      "*\\Control\\NetworkProvider\\Order*",
      "*\\CurrentVersion\\Winlogon\\GinaDLL*",
      "*\\CurrentVersion\\Authentication\\Credential Providers*"
    ) and
    not process.name : (
      "TrustedInstaller.exe", "MsMpEng.exe", "msiexec.exe",
      "wuauclt.exe", "WindowsUpdateAgent.exe", "svchost.exe"
    )
  )
  or
  (
    event.category == "library" and
    process.name : "lsass.exe" and
    not dll.name : (
      "ntdll.dll", "kernel32.dll", "kernelbase.dll", "msvcrt.dll",
      "kerberos.dll", "msv1_0.dll", "wdigest.dll", "tspkg.dll",
      "pku2u.dll", "cloudap.dll", "schannel.dll", "cryptdll.dll",
      "samsrv.dll", "lsasrv.dll", "netlogon.dll", "ntlmshared.dll"
    )
  )
  or
  (
    event.category == "authentication" and
    event.code in ("4610", "4614")
  )
)

critical severity high confidence

Data Sources

Elastic Security Endpoint (elastic-agent with endpoint integration) Winlogbeat with Sysmon (EventCode 7, 13) Windows Security Event Logs (EventID 4610, 4614) via Winlogbeat or Elastic Agent

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.library-* logs-windows.forwarded-* winlogbeat-*

False Positives

Third-party MFA or smart card middleware (Duo Security, RSA Authentication Agent, Yubico, PIV/PKINIT providers) registering credential provider DLLs during initial installation or agent update
Enterprise VPN or network authentication clients (Cisco AnyConnect, Palo Alto GlobalProtect) adding entries to the NetworkProvider Order key as part of their split-tunneling or authentication components
Endpoint security products (CrowdStrike Falcon, Carbon Black, Symantec DLP) loading inspection DLLs into lsass.exe during sensor installation or major version upgrades — typically a one-time event at install time rather than recurring

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  eventid AS EventID,
  "TargetObject" AS RegistryPath,
  "Image" AS InitiatingProcess,
  "ImageLoaded" AS LoadedDLL,
  CASE
    WHEN eventid = 7 THEN 'Unexpected DLL Load by LSASS'
    WHEN eventid IN (4610, 4614) THEN 'Authentication Package Loaded by SAM/LSA'
    WHEN "TargetObject" ILIKE '%Notification Packages%' THEN 'Password Filter DLL Registration'
    WHEN "TargetObject" ILIKE '%Security Packages%' AND "TargetObject" NOT ILIKE '%OSConfig%' THEN 'SSP Registration'
    WHEN "TargetObject" ILIKE '%Authentication Packages%' THEN 'Authentication Package Registration'
    WHEN "TargetObject" ILIKE '%NetworkProvider%' THEN 'Network Provider DLL Registration'
    WHEN "TargetObject" ILIKE '%GinaDLL%' THEN 'GINA DLL Modification'
    WHEN "TargetObject" ILIKE '%Credential Providers%' THEN 'Credential Provider Registration'
    ELSE 'LSA Authentication Configuration Modification'
  END AS DetectionType,
  CASE
    WHEN "TargetObject" ILIKE '%Notification Packages%' THEN 'Critical'
    WHEN "TargetObject" ILIKE '%Security Packages%' THEN 'Critical'
    WHEN "TargetObject" ILIKE '%GinaDLL%' THEN 'Critical'
    ELSE 'High'
  END AS Severity
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    (
      eventid = 13
      AND (
        "TargetObject" ILIKE '%\Control\Lsa\Notification Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\Security Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\Authentication Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\OSConfig\Security Packages%'
        OR "TargetObject" ILIKE '%\Control\NetworkProvider\Order%'
        OR "TargetObject" ILIKE '%\CurrentVersion\Winlogon\GinaDLL%'
        OR "TargetObject" ILIKE '%\CurrentVersion\Authentication\Credential Providers%'
      )
      AND "Image" NOT ILIKE '%TrustedInstaller.exe'
      AND "Image" NOT ILIKE '%MsMpEng.exe'
      AND "Image" NOT ILIKE '%msiexec.exe'
      AND "Image" NOT ILIKE '%wuauclt.exe'
    )
    OR (
      eventid IN (4610, 4614)
    )
    OR (
      eventid = 7
      AND "Image" ILIKE '%lsass.exe'
      AND "ImageLoaded" NOT ILIKE '%\ntdll.dll'
      AND "ImageLoaded" NOT ILIKE '%\kernel32.dll'
      AND "ImageLoaded" NOT ILIKE '%\kernelbase.dll'
      AND "ImageLoaded" NOT ILIKE '%\kerberos.dll'
      AND "ImageLoaded" NOT ILIKE '%\msv1_0.dll'
      AND "ImageLoaded" NOT ILIKE '%\wdigest.dll'
      AND "ImageLoaded" NOT ILIKE '%\tspkg.dll'
      AND "ImageLoaded" NOT ILIKE '%\pku2u.dll'
      AND "ImageLoaded" NOT ILIKE '%\cloudap.dll'
      AND "ImageLoaded" NOT ILIKE '%\schannel.dll'
      AND "ImageLoaded" NOT ILIKE '%\cryptdll.dll'
      AND "ImageLoaded" NOT ILIKE '%\samsrv.dll'
      AND "ImageLoaded" NOT ILIKE '%\lsasrv.dll'
      AND "ImageLoaded" NOT ILIKE '%\netlogon.dll'
      AND "ImageLoaded" NOT ILIKE '%\ntlmshared.dll'
      AND "ImageLoaded" NOT ILIKE '%\msvcrt.dll'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Microsoft Sysmon (QRadar custom DSM or Universal DSM) Snare for Windows (fallback for environments without Sysmon)

Required Tables

events

False Positives

Windows Update or WSUS pushing authentication provider updates via TrustedInstaller or wuauclt — the NOT filter excludes these processes but watch for unusual update timing outside maintenance windows
Domain-joined systems receiving GPO-deployed authentication packages during domain setup or policy refresh — Kerberos extensions, smart card middleware, and DirectAccess components can all trigger legitimate LSA key writes
Security product installation or major version upgrades (endpoint DLP, PAM agents, CASB proxies) that register credential provider DLLs for credential capture or SSO interception features

Sumo Logic CSE

sql

(_sourceCategory=os/windows OR _sourceCategory=windows/sysmon OR _sourceCategory=wineventlog)
| parse regex "(?:EventCode|EventID)[=:\s>]+(?:<[^>]+>)?(?P<EventCode>\d+)" nodrop
| parse regex "(?:TargetObject|ObjectName)[=:\s>]+(?:<[^>]+>)?(?P<TargetObject>[^\n<]+)" nodrop
| parse regex "(?<!Loaded)(?:Image)[=:\s>]+(?:<[^>]+>)?(?P<Image>[^\n<]+)" nodrop
| parse regex "ImageLoaded[=:\s>]+(?:<[^>]+>)?(?P<ImageLoaded>[^\n<]+)" nodrop
| parse regex "(?:User|SubjectUserName)[=:\s>]+(?:<[^>]+>)?(?P<User>[^\n<]+)" nodrop
| where (
    (
      EventCode = "13" AND (
        TargetObject contains "\Control\Lsa\Notification Packages" OR
        TargetObject contains "\Control\Lsa\Security Packages" OR
        TargetObject contains "\Control\Lsa\Authentication Packages" OR
        TargetObject contains "\Control\Lsa\OSConfig" OR
        TargetObject contains "\Control\NetworkProvider\Order" OR
        TargetObject contains "\Winlogon\GinaDLL" OR
        TargetObject contains "\Authentication\Credential Providers"
      )
    )
    OR EventCode in ("4610", "4614")
    OR (
      EventCode = "7" AND
      Image matches "*lsass.exe" AND NOT (
        ImageLoaded matches "*\ntdll.dll" OR
        ImageLoaded matches "*\kernel32.dll" OR
        ImageLoaded matches "*\kernelbase.dll" OR
        ImageLoaded matches "*\kerberos.dll" OR
        ImageLoaded matches "*\msv1_0.dll" OR
        ImageLoaded matches "*\wdigest.dll" OR
        ImageLoaded matches "*\tspkg.dll" OR
        ImageLoaded matches "*\pku2u.dll" OR
        ImageLoaded matches "*\cloudap.dll" OR
        ImageLoaded matches "*\schannel.dll" OR
        ImageLoaded matches "*\cryptdll.dll" OR
        ImageLoaded matches "*\samsrv.dll" OR
        ImageLoaded matches "*\lsasrv.dll" OR
        ImageLoaded matches "*\netlogon.dll" OR
        ImageLoaded matches "*\ntlmshared.dll" OR
        ImageLoaded matches "*\msvcrt.dll"
      )
    )
  )
| where NOT (
    Image matches "*TrustedInstaller.exe" OR
    Image matches "*MsMpEng.exe" OR
    Image matches "*msiexec.exe" OR
    Image matches "*wuauclt.exe"
  )
| eval DetectionType = if(EventCode = "7", "Unexpected DLL Load by LSASS",
    if(EventCode in ("4610","4614"), "Authentication Package Loaded by LSA",
    if(TargetObject contains "Notification Packages", "Password Filter DLL Registration",
    if(TargetObject contains "Security Packages", "SSP Registration",
    if(TargetObject contains "Authentication Packages", "Authentication Package Registration",
    if(TargetObject contains "NetworkProvider", "Network Provider DLL Registration",
    if(TargetObject contains "GinaDLL", "GINA DLL Modification",
    "LSA Authentication Modification")))))))
| eval Severity = if(DetectionType in ("Password Filter DLL Registration", "SSP Registration", "GINA DLL Modification"), "Critical", "High")
| fields _messageTime, _sourceHost, User, DetectionType, Severity, EventCode, TargetObject, ImageLoaded, Image
| sort - _messageTime

critical severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log source) Sumo Logic Installed Collector (Sysmon operational log source) Sumo Logic Cloud Syslog for Windows Event Forwarding (WEF)

Required Tables

Sumo Logic partition containing Windows/Sysmon events (default or custom partition per _sourceCategory)

False Positives

Software deployment tooling (SCCM, Intune, PDQ Deploy) using msiexec to install authentication-related software — msiexec is excluded by the NOT filter but installer child processes that write registry keys directly may not be
Antivirus or DLP products with credential inspection features loading monitoring hooks into lsass.exe — common in enterprise environments with Symantec DLP, Forcepoint DLP, or McAfee MVISION deployed to endpoints
Identity Provider integrations (Okta Verify, Azure AD Connect, Ping Identity, OneLogin) registering credential provider DLLs as part of enterprise SSO or passwordless authentication rollouts

Google Chronicle / SecOps

yaral

rule t1556_lsa_registry_modification {
  meta:
    author = "Detection Engineering"
    description = "T1556 - LSA authentication registry modification for credential interception. Covers Notification Packages (password filter DLLs), Security Packages (SSPs), Authentication Packages, NetworkProvider Order, GinaDLL, and Credential Providers keys."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1556/"

  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Notification Packages`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Security Packages`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Authentication Packages`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\OSConfig`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\NetworkProvider\\Order`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\CurrentVersion\\Winlogon\\GinaDLL`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\CurrentVersion\\Authentication\\Credential Providers`)
    )
    not re.regex($reg.principal.process.file.full_path, `(?i)(TrustedInstaller\.exe|MsMpEng\.exe|msiexec\.exe|wuauclt\.exe|WindowsUpdateAgent\.exe)`)

  condition:
    $reg
}

rule t1556_lsass_unexpected_dll_load {
  meta:
    author = "Detection Engineering"
    description = "T1556 - Unexpected DLL loaded by lsass.exe, indicative of SSP injection, in-memory password filter registration, or skeleton key implant. Filters known-good authentication DLL baseline."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1556/"

  events:
    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    re.regex($load.principal.process.file.full_path, `(?i)[/\\]lsass\.exe$`)
    not re.regex($load.target.file.full_path, `(?i)(ntdll\.dll|kernel32\.dll|kernelbase\.dll|msvcrt\.dll|kerberos\.dll|msv1_0\.dll|wdigest\.dll|tspkg\.dll|pku2u\.dll|cloudap\.dll|schannel\.dll|cryptdll\.dll|samsrv\.dll|lsasrv\.dll|netlogon\.dll|ntlmshared\.dll|rassfm\.dll|svrt\.dll)$`)

  condition:
    $load
}

critical severity high confidence

Data Sources

Google Security Operations (Chronicle SIEM) Windows Sysmon via Chronicle forwarder agent (EventCode 7, 13) Microsoft Defender for Endpoint via Chronicle integration (DeviceRegistryEvents, DeviceImageLoadEvents) Windows Event Forwarding (WEF) ingested via Chronicle

Required Tables

UDM Events — REGISTRY_MODIFICATION event type UDM Events — PROCESS_MODULE_LOAD event type

False Positives

Microsoft Credential Guard or Virtualization-Based Security (VBS) initialization loading isolation shim DLLs into lsass.exe during the Windows secure boot sequence on Hyper-V or hardware VBS-enabled endpoints
Domain controller promotion (dcpromo) or AD DS / AD LDS role installation modifying authentication packages and security packages as part of legitimate domain controller setup
Enterprise PKI or certificate authority software (DigiCert, Entrust, ADCS) registering cryptographic service providers or minidriver DLLs into the LSA credential provider chain during initial deployment

CrowdStrike LogScale (CQL)

cql

// T1556 - Modify Authentication Process
// Branch 1: LSA registry ASEP modifications (Sysmon EventCode 13 equivalent)
// Branch 2: Unexpected DLL loads by lsass.exe (Sysmon EventCode 7 equivalent)

(#event_simpleName = "AsepValueUpdate" OR #event_simpleName = "ClassicImageLoad")
| case {
    #event_simpleName = "AsepValueUpdate" |
      RegistryPath = /(?i)(\\Control\\Lsa\\Notification Packages|\\Control\\Lsa\\Security Packages|\\Control\\Lsa\\Authentication Packages|\\Control\\Lsa\\OSConfig|\\Control\\NetworkProvider\\Order|\\Winlogon\\GinaDLL|\\Authentication\\Credential Providers)/ |
      ImageFileName != /(?i)(TrustedInstaller\.exe|MsMpEng\.exe|msiexec\.exe|wuauclt\.exe|WindowsUpdateAgent\.exe)/ |
      DetectionType := "LSA Registry Modification" ;
    #event_simpleName = "ClassicImageLoad" |
      TargetProcessFileName = /(?i)[/\\]lsass\.exe$/ |
      ImageFileName != /(?i)(ntdll\.dll|kernel32\.dll|kernelbase\.dll|msvcrt\.dll|kerberos\.dll|msv1_0\.dll|wdigest\.dll|tspkg\.dll|pku2u\.dll|cloudap\.dll|schannel\.dll|cryptdll\.dll|samsrv\.dll|lsasrv\.dll|netlogon\.dll|ntlmshared\.dll|rassfm\.dll)$/ |
      DetectionType := "Unexpected DLL Load by LSASS" ;
    * | drop()
  }
| table(
    [timestamp, ComputerName, UserName, DetectionType,
     RegistryPath, RegistryValueData, ImageFileName,
     TargetProcessFileName, CommandLine, SHA256HashData]
  )
| sort(field=timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Insight XDR (AsepValueUpdate, ClassicImageLoad event streams) CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike LogScale (Humio) with Falcon event ingestion

Required Tables

AsepValueUpdate (Falcon streaming event) ClassicImageLoad (Falcon streaming event)

False Positives

CrowdStrike Falcon sensor itself or Falcon Complete managed response operations performing ASEP modifications during sensor update cycles — these appear as AsepValueUpdate events from CrowdStrike-signed processes and can be filtered by SHA256HashData against CrowdStrike's known-good hash list
Windows in-place feature updates (e.g., 22H2 to 23H2) modifying authentication packages during the OS upgrade phase — generates a burst of legitimate ASEP changes from TrustedInstaller that coincide with the upgrade window
Third-party PAM solutions (BeyondTrust Password Safe, CyberArk Endpoint Privilege Manager, Delinea Secret Server) registering credential provider DLLs on managed endpoints during agent deployment — identifiable by consistent software-deployment parent process chains

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Modify Authentication Process

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (9)

Same Tactic: Credential Access

Popular Detections