Which SIEM platforms have a T1556 detection rule?

df00tech provides T1556 (Modify Authentication Process) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1556 detection?

The T1556 detection is rated critical severity with high confidence.

What are common false positives for T1556?

Common false positives for T1556 include: Legitimate MFA solutions (Duo Security, Okta Verify, RSA SecurID) that install custom credential provider DLLs during initial setup — filter by InitiatingProcessFileName = msiexec.exe and correlate with change management tickets; Enterprise privileged access management tools (CyberArk, BeyondTrust, Centrify) that register authentication packages — build an allowlist of their specific DLL names; Windows Defender Credential Guard enabling LSA protection, which modifies LSA configuration keys — these changes come from svchost.exe or TrustedInstaller.

T1556

Modify Authentication Process

Q: What data sources are required to detect Modify Authentication Process (T1556)?

Detecting Modify Authentication Process requires the following data sources: Registry: Registry Key Modification, Module: Module Load, Process: Process Creation, Microsoft Defender for Endpoint.

Credential Access Defense Evasion Persistence Last updated: April 13, 2026

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on macOS systems. By modifying an authentication process, an adversary may authenticate to a service or system without using valid accounts, or may passively harvest credentials as users authenticate. Techniques include registering malicious password filter DLLs that receive plaintext passwords during every password change, injecting security support providers (SSPs) into LSASS to intercept credentials, installing skeleton keys to accept any password for domain accounts, modifying PAM stack configuration files to permit unauthorized access, and replacing legitimate authentication binaries with trojanized versions that exfiltrate credentials.

What is T1556 Modify Authentication Process?

Modify Authentication Process (T1556) maps to the Credential Access and Defense Evasion and Persistence tactics — the adversary is trying to steal account names and passwords in MITRE ATT&CK.

This page provides production-ready detection logic for Modify Authentication Process, covering the data sources and telemetry it touches: Registry: Registry Key Modification, Module: Module Load, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Credential Access Defense Evasion Persistence
Technique: T1556 Modify Authentication Process
Canonical reference: https://attack.mitre.org/techniques/T1556/

Microsoft Sentinel / Defender

kusto

// T1556: Modify Authentication Process
// Detects modifications to Windows LSA authentication registry keys used to register
// password filter DLLs, SSPs, auth packages, network providers, and GINA DLLs.
// These are the primary persistence paths for credential interception malware
// such as skeleton key (Secureworks), Ebury, Kessel, and SILENTTRINITY.
let LsaRegistryPaths = dynamic([
    "CurrentControlSet\\Control\\Lsa\\Notification Packages",
    "CurrentControlSet\\Control\\Lsa\\Security Packages",
    "CurrentControlSet\\Control\\Lsa\\Authentication Packages",
    "CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages",
    "CurrentControlSet\\Control\\NetworkProvider\\Order",
    "CurrentVersion\\Winlogon\\GinaDLL",
    "CurrentVersion\\Authentication\\Credential Providers"
]);
let TrustedModifiers = dynamic([
    "TrustedInstaller.exe", "MsMpEng.exe", "msiexec.exe",
    "wuauclt.exe", "WindowsUpdateAgent.exe", "svchost.exe"
]);
let LsaLoadEvents = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "lsass.exe"
| where not(FileName in~ (
    "ntdll.dll", "kernel32.dll", "kernelbase.dll", "msvcrt.dll",
    "kerberos.dll", "msv1_0.dll", "wdigest.dll", "tspkg.dll",
    "pku2u.dll", "cloudap.dll", "schannel.dll", "cryptdll.dll",
    "samsrv.dll", "lsasrv.dll", "netlogon.dll", "ntlmshared.dll"
))
| extend DetectionSource = "LsassUnexpectedDllLoad"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          DetectionType = "Unexpected DLL Load by LSASS",
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          DllName = FileName, DllPath = FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
let RegistryMods = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (LsaRegistryPaths)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where not(InitiatingProcessFileName has_any (TrustedModifiers))
| extend DetectionType = case(
    RegistryKey has "Notification Packages", "Password Filter DLL Registration",
    RegistryKey has "Security Packages" and not (RegistryKey has "OSConfig"), "Security Support Provider (SSP) Registration",
    RegistryKey has "Authentication Packages", "Authentication Package Registration",
    RegistryKey has "NetworkProvider", "Network Provider DLL Registration",
    RegistryKey has "GinaDLL", "GINA DLL Modification",
    RegistryKey has "Credential Providers", "Credential Provider Registration",
    "LSA Authentication Configuration Modification"
)
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey, RegistryValueName, RegistryValueData,
          DllName = "", DllPath = "", SHA256 = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine;
RegistryMods
| union LsaLoadEvents
| extend IsDomainController = DeviceName has_any ("DC", "PDC", "BDC", "RODC")
| sort by Timestamp desc

Detects modifications to Windows LSA authentication configuration by monitoring two key signals: (1) registry writes to authentication-critical keys including LSA Notification Packages (password filters), Security Packages (SSPs), Authentication Packages, Network Provider Order, and GINA DLL paths, excluding known-good Windows system processes; and (2) unexpected DLL loads by the lsass.exe process from non-standard DLL names not part of the default Windows authentication package list. Together these cover the primary persistence mechanisms used by skeleton key malware, Ebury, Kessel, and SILENTTRINITY to intercept credentials. Domain controller detections are flagged separately given their elevated impact.

critical severity high confidence

Data Sources

Registry: Registry Key Modification Module: Module Load Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceImageLoadEvents

False Positives

Legitimate MFA solutions (Duo Security, Okta Verify, RSA SecurID) that install custom credential provider DLLs during initial setup — filter by InitiatingProcessFileName = msiexec.exe and correlate with change management tickets
Enterprise privileged access management tools (CyberArk, BeyondTrust, Centrify) that register authentication packages — build an allowlist of their specific DLL names
Windows Defender Credential Guard enabling LSA protection, which modifies LSA configuration keys — these changes come from svchost.exe or TrustedInstaller
Third-party VPN clients and smart card middleware that install network provider DLLs or credential providers as part of software installation
Password manager enterprise editions (LastPass Enterprise, 1Password Business) installing Windows credential provider extensions

Splunk

spl

index=wineventlog (
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=13 OR EventCode=7))
    OR (sourcetype="WinEventLog:Security" (EventCode=4657 OR EventCode=4614 OR EventCode=4610))
)
| eval TargetPath=coalesce(TargetObject, ObjectName)
| eval InitProcess=coalesce(Image, ProcessName)
| eval LoadedImage=coalesce(ImageLoaded, "")
| eval User=coalesce(User, SubjectUserName)
```
-- Branch 1: Sysmon Registry Value Set (EventCode=13) on LSA keys
```
| eval IsAuthRegistryMod=if(
    EventCode=13 AND (
        like(TargetPath, "%\\Control\\Lsa\\Notification Packages%") OR
        like(TargetPath, "%\\Control\\Lsa\\Security Packages%") OR
        like(TargetPath, "%\\Control\\Lsa\\Authentication Packages%") OR
        like(TargetPath, "%\\Control\\NetworkProvider\\Order%") OR
        like(TargetPath, "%\\Winlogon\\GinaDLL%") OR
        like(TargetPath, "%\\Authentication\\Credential Providers%")
    ), 1, 0)
```
-- Branch 2: Windows Security audit of notification/auth package loading
```
| eval IsAuthPackageLoad=if(
    (EventCode=4614 OR EventCode=4610),
    1, 0)
```
-- Branch 3: Sysmon Image Load (EventCode=7) by lsass for unexpected DLLs
```
| eval IsLsassLoad=if(
    EventCode=7 AND like(InitProcess, "%lsass.exe") AND NOT (
        like(LoadedImage, "%\\ntdll.dll") OR like(LoadedImage, "%\\kernel32.dll") OR
        like(LoadedImage, "%\\kerberos.dll") OR like(LoadedImage, "%\\msv1_0.dll") OR
        like(LoadedImage, "%\\wdigest.dll") OR like(LoadedImage, "%\\tspkg.dll") OR
        like(LoadedImage, "%\\pku2u.dll") OR like(LoadedImage, "%\\lsasrv.dll") OR
        like(LoadedImage, "%\\samsrv.dll") OR like(LoadedImage, "%\\netlogon.dll") OR
        like(LoadedImage, "%\\schannel.dll") OR like(LoadedImage, "%\\cloudap.dll")
    ), 1, 0)
| where IsAuthRegistryMod=1 OR IsAuthPackageLoad=1 OR IsLsassLoad=1
| where NOT (like(InitProcess, "%TrustedInstaller.exe") OR like(InitProcess, "%MsMpEng.exe") OR like(InitProcess, "%msiexec.exe") OR like(InitProcess, "%wuauclt.exe"))
| eval DetectionType=case(
    IsLsassLoad=1, "Unexpected DLL Load by LSASS",
    IsAuthPackageLoad=1, "Authentication Package Loaded by SAM/LSA",
    like(TargetPath, "%Notification Packages%"), "Password Filter DLL Registration",
    like(TargetPath, "%Security Packages%"), "SSP Registration",
    like(TargetPath, "%Authentication Packages%"), "Authentication Package Registration",
    like(TargetPath, "%NetworkProvider%"), "Network Provider DLL Registration",
    like(TargetPath, "%GinaDLL%"), "GINA DLL Modification",
    true(), "LSA Authentication Modification"
)
| eval Severity=case(
    DetectionType="Password Filter DLL Registration", "Critical",
    DetectionType="SSP Registration", "Critical",
    DetectionType="GINA DLL Modification", "Critical",
    DetectionType="Unexpected DLL Load by LSASS", "High",
    true(), "High"
)
| table _time, host, User, DetectionType, Severity, TargetPath, Details, LoadedImage, InitProcess, CommandLine
| sort - _time

Detects authentication process modification through three correlated signals: (1) Sysmon Event ID 13 registry value sets on LSA authentication key paths; (2) Windows Security Event IDs 4610 and 4614 which fire when the LSA loads authentication packages and notification packages at system startup — unexpected entries here indicate persistence survived a reboot; (3) Sysmon Event ID 7 image loads by lsass.exe for DLLs not in the expected Windows authentication package list. The combination of registry write followed by auth package load event at next boot is a strong indicator of password filter DLL installation for credential harvesting.

critical severity high confidence

Data Sources

Registry: Registry Key Modification Module: Module Load Sysmon Event ID 13 Sysmon Event ID 7 Windows Security Event ID 4610 Windows Security Event ID 4614 Windows Security Event ID 4657

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate MFA and PAM solutions registering credential providers during software installation
Enterprise identity platforms (CyberArk EPM, BeyondTrust) installing authentication packages
Smart card middleware and PIV/CAC reader software registering PKCS#11 authentication modules
Windows Defender Credential Guard configuration changes — correlate with known patch cycles and change tickets

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "registry" and
    event.type in ("change", "creation") and
    registry.path : (
      "*\\Control\\Lsa\\Notification Packages*",
      "*\\Control\\Lsa\\Security Packages*",
      "*\\Control\\Lsa\\Authentication Packages*",
      "*\\Control\\Lsa\\OSConfig\\Security Packages*",
      "*\\Control\\NetworkProvider\\Order*",
      "*\\CurrentVersion\\Winlogon\\GinaDLL*",
      "*\\CurrentVersion\\Authentication\\Credential Providers*"
    ) and
    not process.name : (
      "TrustedInstaller.exe", "MsMpEng.exe", "msiexec.exe",
      "wuauclt.exe", "WindowsUpdateAgent.exe", "svchost.exe"
    )
  )
  or
  (
    event.category == "library" and
    process.name : "lsass.exe" and
    not dll.name : (
      "ntdll.dll", "kernel32.dll", "kernelbase.dll", "msvcrt.dll",
      "kerberos.dll", "msv1_0.dll", "wdigest.dll", "tspkg.dll",
      "pku2u.dll", "cloudap.dll", "schannel.dll", "cryptdll.dll",
      "samsrv.dll", "lsasrv.dll", "netlogon.dll", "ntlmshared.dll"
    )
  )
  or
  (
    event.category == "authentication" and
    event.code in ("4610", "4614")
  )
)

Detects T1556 modifications to Windows LSA authentication mechanisms across three detection branches: (1) registry modifications to LSA key paths covering Notification Packages (password filter DLLs), Security Packages (SSPs), Authentication Packages, Network Provider Order, GinaDLL, and Credential Providers — excluding known legitimate modifiers; (2) unexpected DLLs loaded by lsass.exe not present in the known-good baseline, covering in-memory SSP and password filter injection; (3) Windows Security audit events 4610 and 4614 for authentication and notification package loading by SAM/LSA. Covers skeleton key, Ebury, SILENTTRINITY, and Mimikatz SSP injection patterns.

critical severity high confidence

Data Sources

Elastic Security Endpoint (elastic-agent with endpoint integration) Winlogbeat with Sysmon (EventCode 7, 13) Windows Security Event Logs (EventID 4610, 4614) via Winlogbeat or Elastic Agent

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.library-* logs-windows.forwarded-* winlogbeat-*

False Positives

Third-party MFA or smart card middleware (Duo Security, RSA Authentication Agent, Yubico, PIV/PKINIT providers) registering credential provider DLLs during initial installation or agent update
Enterprise VPN or network authentication clients (Cisco AnyConnect, Palo Alto GlobalProtect) adding entries to the NetworkProvider Order key as part of their split-tunneling or authentication components
Endpoint security products (CrowdStrike Falcon, Carbon Black, Symantec DLP) loading inspection DLLs into lsass.exe during sensor installation or major version upgrades — typically a one-time event at install time rather than recurring

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  eventid AS EventID,
  "TargetObject" AS RegistryPath,
  "Image" AS InitiatingProcess,
  "ImageLoaded" AS LoadedDLL,
  CASE
    WHEN eventid = 7 THEN 'Unexpected DLL Load by LSASS'
    WHEN eventid IN (4610, 4614) THEN 'Authentication Package Loaded by SAM/LSA'
    WHEN "TargetObject" ILIKE '%Notification Packages%' THEN 'Password Filter DLL Registration'
    WHEN "TargetObject" ILIKE '%Security Packages%' AND "TargetObject" NOT ILIKE '%OSConfig%' THEN 'SSP Registration'
    WHEN "TargetObject" ILIKE '%Authentication Packages%' THEN 'Authentication Package Registration'
    WHEN "TargetObject" ILIKE '%NetworkProvider%' THEN 'Network Provider DLL Registration'
    WHEN "TargetObject" ILIKE '%GinaDLL%' THEN 'GINA DLL Modification'
    WHEN "TargetObject" ILIKE '%Credential Providers%' THEN 'Credential Provider Registration'
    ELSE 'LSA Authentication Configuration Modification'
  END AS DetectionType,
  CASE
    WHEN "TargetObject" ILIKE '%Notification Packages%' THEN 'Critical'
    WHEN "TargetObject" ILIKE '%Security Packages%' THEN 'Critical'
    WHEN "TargetObject" ILIKE '%GinaDLL%' THEN 'Critical'
    ELSE 'High'
  END AS Severity
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    (
      eventid = 13
      AND (
        "TargetObject" ILIKE '%\Control\Lsa\Notification Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\Security Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\Authentication Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\OSConfig\Security Packages%'
        OR "TargetObject" ILIKE '%\Control\NetworkProvider\Order%'
        OR "TargetObject" ILIKE '%\CurrentVersion\Winlogon\GinaDLL%'
        OR "TargetObject" ILIKE '%\CurrentVersion\Authentication\Credential Providers%'
      )
      AND "Image" NOT ILIKE '%TrustedInstaller.exe'
      AND "Image" NOT ILIKE '%MsMpEng.exe'
      AND "Image" NOT ILIKE '%msiexec.exe'
      AND "Image" NOT ILIKE '%wuauclt.exe'
    )
    OR (
      eventid IN (4610, 4614)
    )
    OR (
      eventid = 7
      AND "Image" ILIKE '%lsass.exe'
      AND "ImageLoaded" NOT ILIKE '%\ntdll.dll'
      AND "ImageLoaded" NOT ILIKE '%\kernel32.dll'
      AND "ImageLoaded" NOT ILIKE '%\kernelbase.dll'
      AND "ImageLoaded" NOT ILIKE '%\kerberos.dll'
      AND "ImageLoaded" NOT ILIKE '%\msv1_0.dll'
      AND "ImageLoaded" NOT ILIKE '%\wdigest.dll'
      AND "ImageLoaded" NOT ILIKE '%\tspkg.dll'
      AND "ImageLoaded" NOT ILIKE '%\pku2u.dll'
      AND "ImageLoaded" NOT ILIKE '%\cloudap.dll'
      AND "ImageLoaded" NOT ILIKE '%\schannel.dll'
      AND "ImageLoaded" NOT ILIKE '%\cryptdll.dll'
      AND "ImageLoaded" NOT ILIKE '%\samsrv.dll'
      AND "ImageLoaded" NOT ILIKE '%\lsasrv.dll'
      AND "ImageLoaded" NOT ILIKE '%\netlogon.dll'
      AND "ImageLoaded" NOT ILIKE '%\ntlmshared.dll'
      AND "ImageLoaded" NOT ILIKE '%\msvcrt.dll'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS

QRadar AQL detection for T1556 querying Sysmon (EventCode 13 registry value set, EventCode 7 image load) and Windows Security (EventID 4610 authentication package load, 4614 notification package load) log sources. Identifies modifications to all LSA credential interception persistence paths and unexpected DLLs loaded by lsass.exe. Requires QRadar DSM custom properties configured to extract TargetObject, Image, and ImageLoaded from Sysmon XML payloads. Uses ILIKE for case-insensitive path matching across all registry key path variations.

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Microsoft Sysmon (QRadar custom DSM or Universal DSM) Snare for Windows (fallback for environments without Sysmon)

Required Tables

events

False Positives

Windows Update or WSUS pushing authentication provider updates via TrustedInstaller or wuauclt — the NOT filter excludes these processes but watch for unusual update timing outside maintenance windows
Domain-joined systems receiving GPO-deployed authentication packages during domain setup or policy refresh — Kerberos extensions, smart card middleware, and DirectAccess components can all trigger legitimate LSA key writes
Security product installation or major version upgrades (endpoint DLP, PAM agents, CASB proxies) that register credential provider DLLs for credential capture or SSO interception features

Sumo Logic CSE

sql

(_sourceCategory=os/windows OR _sourceCategory=windows/sysmon OR _sourceCategory=wineventlog)
| parse regex "(?:EventCode|EventID)[=:\s>]+(?:<[^>]+>)?(?P<EventCode>\d+)" nodrop
| parse regex "(?:TargetObject|ObjectName)[=:\s>]+(?:<[^>]+>)?(?P<TargetObject>[^\n<]+)" nodrop
| parse regex "(?<!Loaded)(?:Image)[=:\s>]+(?:<[^>]+>)?(?P<Image>[^\n<]+)" nodrop
| parse regex "ImageLoaded[=:\s>]+(?:<[^>]+>)?(?P<ImageLoaded>[^\n<]+)" nodrop
| parse regex "(?:User|SubjectUserName)[=:\s>]+(?:<[^>]+>)?(?P<User>[^\n<]+)" nodrop
| where (
    (
      EventCode = "13" AND (
        TargetObject contains "\Control\Lsa\Notification Packages" OR
        TargetObject contains "\Control\Lsa\Security Packages" OR
        TargetObject contains "\Control\Lsa\Authentication Packages" OR
        TargetObject contains "\Control\Lsa\OSConfig" OR
        TargetObject contains "\Control\NetworkProvider\Order" OR
        TargetObject contains "\Winlogon\GinaDLL" OR
        TargetObject contains "\Authentication\Credential Providers"
      )
    )
    OR EventCode in ("4610", "4614")
    OR (
      EventCode = "7" AND
      Image matches "*lsass.exe" AND NOT (
        ImageLoaded matches "*\ntdll.dll" OR
        ImageLoaded matches "*\kernel32.dll" OR
        ImageLoaded matches "*\kernelbase.dll" OR
        ImageLoaded matches "*\kerberos.dll" OR
        ImageLoaded matches "*\msv1_0.dll" OR
        ImageLoaded matches "*\wdigest.dll" OR
        ImageLoaded matches "*\tspkg.dll" OR
        ImageLoaded matches "*\pku2u.dll" OR
        ImageLoaded matches "*\cloudap.dll" OR
        ImageLoaded matches "*\schannel.dll" OR
        ImageLoaded matches "*\cryptdll.dll" OR
        ImageLoaded matches "*\samsrv.dll" OR
        ImageLoaded matches "*\lsasrv.dll" OR
        ImageLoaded matches "*\netlogon.dll" OR
        ImageLoaded matches "*\ntlmshared.dll" OR
        ImageLoaded matches "*\msvcrt.dll"
      )
    )
  )
| where NOT (
    Image matches "*TrustedInstaller.exe" OR
    Image matches "*MsMpEng.exe" OR
    Image matches "*msiexec.exe" OR
    Image matches "*wuauclt.exe"
  )
| eval DetectionType = if(EventCode = "7", "Unexpected DLL Load by LSASS",
    if(EventCode in ("4610","4614"), "Authentication Package Loaded by LSA",
    if(TargetObject contains "Notification Packages", "Password Filter DLL Registration",
    if(TargetObject contains "Security Packages", "SSP Registration",
    if(TargetObject contains "Authentication Packages", "Authentication Package Registration",
    if(TargetObject contains "NetworkProvider", "Network Provider DLL Registration",
    if(TargetObject contains "GinaDLL", "GINA DLL Modification",
    "LSA Authentication Modification")))))))
| eval Severity = if(DetectionType in ("Password Filter DLL Registration", "SSP Registration", "GINA DLL Modification"), "Critical", "High")
| fields _messageTime, _sourceHost, User, DetectionType, Severity, EventCode, TargetObject, ImageLoaded, Image
| sort - _messageTime

Sumo Logic detection for T1556 parsing Windows Event Log and Sysmon telemetry using regex field extraction from raw log data. Handles both XML-formatted Sysmon events and flat key=value Windows Security events. Detects Sysmon EventCode 13 (registry value set) modifications to all LSA credential interception paths, EventCode 7 (image load) for unexpected LSASS DLL loads, and Security EventID 4610/4614 for authentication and notification package loading by SAM/LSA. Adjust _sourceCategory values to match your Sumo Logic collector source configuration. For pre-parsed Sysmon events (e.g., via Sumo Logic app), field names may already be available without regex extraction.

critical severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log source) Sumo Logic Installed Collector (Sysmon operational log source) Sumo Logic Cloud Syslog for Windows Event Forwarding (WEF)

Required Tables

Sumo Logic partition containing Windows/Sysmon events (default or custom partition per _sourceCategory)

False Positives

Software deployment tooling (SCCM, Intune, PDQ Deploy) using msiexec to install authentication-related software — msiexec is excluded by the NOT filter but installer child processes that write registry keys directly may not be
Antivirus or DLP products with credential inspection features loading monitoring hooks into lsass.exe — common in enterprise environments with Symantec DLP, Forcepoint DLP, or McAfee MVISION deployed to endpoints
Identity Provider integrations (Okta Verify, Azure AD Connect, Ping Identity, OneLogin) registering credential provider DLLs as part of enterprise SSO or passwordless authentication rollouts

Google Chronicle / SecOps

yaral

rule t1556_lsa_registry_modification {
  meta:
    author = "Detection Engineering"
    description = "T1556 - LSA authentication registry modification for credential interception. Covers Notification Packages (password filter DLLs), Security Packages (SSPs), Authentication Packages, NetworkProvider Order, GinaDLL, and Credential Providers keys."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1556/"

  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Notification Packages`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Security Packages`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Authentication Packages`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\OSConfig`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\Control\\NetworkProvider\\Order`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\CurrentVersion\\Winlogon\\GinaDLL`) or
      re.regex($reg.target.registry.registry_key, `(?i)\\CurrentVersion\\Authentication\\Credential Providers`)
    )
    not re.regex($reg.principal.process.file.full_path, `(?i)(TrustedInstaller\.exe|MsMpEng\.exe|msiexec\.exe|wuauclt\.exe|WindowsUpdateAgent\.exe)`)

  condition:
    $reg
}

rule t1556_lsass_unexpected_dll_load {
  meta:
    author = "Detection Engineering"
    description = "T1556 - Unexpected DLL loaded by lsass.exe, indicative of SSP injection, in-memory password filter registration, or skeleton key implant. Filters known-good authentication DLL baseline."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1556/"

  events:
    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    re.regex($load.principal.process.file.full_path, `(?i)[/\\]lsass\.exe$`)
    not re.regex($load.target.file.full_path, `(?i)(ntdll\.dll|kernel32\.dll|kernelbase\.dll|msvcrt\.dll|kerberos\.dll|msv1_0\.dll|wdigest\.dll|tspkg\.dll|pku2u\.dll|cloudap\.dll|schannel\.dll|cryptdll\.dll|samsrv\.dll|lsasrv\.dll|netlogon\.dll|ntlmshared\.dll|rassfm\.dll|svrt\.dll)$`)

  condition:
    $load
}

Two Chronicle YARA-L 2.0 rules for T1556 using Google Security Operations UDM normalized event model. Rule 1 (t1556_lsa_registry_modification) matches REGISTRY_MODIFICATION events targeting all LSA authentication persistence paths, excluding known legitimate modifiers. Rule 2 (t1556_lsass_unexpected_dll_load) matches PROCESS_MODULE_LOAD events where lsass.exe loads a DLL not in the known-good baseline, covering in-memory SSP injection and password filter DLL loading without a registry change. Both rules use re.regex() with case-insensitive flags against UDM registry key and file path fields respectively.

critical severity high confidence

Data Sources

Google Security Operations (Chronicle SIEM) Windows Sysmon via Chronicle forwarder agent (EventCode 7, 13) Microsoft Defender for Endpoint via Chronicle integration (DeviceRegistryEvents, DeviceImageLoadEvents) Windows Event Forwarding (WEF) ingested via Chronicle

Required Tables

UDM Events — REGISTRY_MODIFICATION event type UDM Events — PROCESS_MODULE_LOAD event type

False Positives

Microsoft Credential Guard or Virtualization-Based Security (VBS) initialization loading isolation shim DLLs into lsass.exe during the Windows secure boot sequence on Hyper-V or hardware VBS-enabled endpoints
Domain controller promotion (dcpromo) or AD DS / AD LDS role installation modifying authentication packages and security packages as part of legitimate domain controller setup
Enterprise PKI or certificate authority software (DigiCert, Entrust, ADCS) registering cryptographic service providers or minidriver DLLs into the LSA credential provider chain during initial deployment

CrowdStrike LogScale (CQL)

cql

// T1556 - Modify Authentication Process
// Branch 1: LSA registry ASEP modifications (Sysmon EventCode 13 equivalent)
// Branch 2: Unexpected DLL loads by lsass.exe (Sysmon EventCode 7 equivalent)

(#event_simpleName = "AsepValueUpdate" OR #event_simpleName = "ClassicImageLoad")
| case {
    #event_simpleName = "AsepValueUpdate" |
      RegistryPath = /(?i)(\\Control\\Lsa\\Notification Packages|\\Control\\Lsa\\Security Packages|\\Control\\Lsa\\Authentication Packages|\\Control\\Lsa\\OSConfig|\\Control\\NetworkProvider\\Order|\\Winlogon\\GinaDLL|\\Authentication\\Credential Providers)/ |
      ImageFileName != /(?i)(TrustedInstaller\.exe|MsMpEng\.exe|msiexec\.exe|wuauclt\.exe|WindowsUpdateAgent\.exe)/ |
      DetectionType := "LSA Registry Modification" ;
    #event_simpleName = "ClassicImageLoad" |
      TargetProcessFileName = /(?i)[/\\]lsass\.exe$/ |
      ImageFileName != /(?i)(ntdll\.dll|kernel32\.dll|kernelbase\.dll|msvcrt\.dll|kerberos\.dll|msv1_0\.dll|wdigest\.dll|tspkg\.dll|pku2u\.dll|cloudap\.dll|schannel\.dll|cryptdll\.dll|samsrv\.dll|lsasrv\.dll|netlogon\.dll|ntlmshared\.dll|rassfm\.dll)$/ |
      DetectionType := "Unexpected DLL Load by LSASS" ;
    * | drop()
  }
| table(
    [timestamp, ComputerName, UserName, DetectionType,
     RegistryPath, RegistryValueData, ImageFileName,
     TargetProcessFileName, CommandLine, SHA256HashData]
  )
| sort(field=timestamp, order=desc)

CrowdStrike LogScale (Humio) detection for T1556 using Falcon Insight XDR telemetry. Uses AsepValueUpdate events — Falcon's normalized ASEP registry change event type — to detect LSA authentication key modifications across all CurrentControlSet paths, and ClassicImageLoad events to identify unexpected DLLs loaded into lsass.exe. Combines both branches via a case statement with drop() to suppress non-matching events. The AsepValueUpdate event type covers all HKLM SYSTEM registry writes to known persistence locations. Requires Falcon Prevent or Falcon Insight XDR for module load telemetry; SHA256HashData field enables immediate VirusTotal enrichment.

critical severity high confidence

Data Sources

CrowdStrike Falcon Insight XDR (AsepValueUpdate, ClassicImageLoad event streams) CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike LogScale (Humio) with Falcon event ingestion

Required Tables

AsepValueUpdate (Falcon streaming event) ClassicImageLoad (Falcon streaming event)

False Positives

CrowdStrike Falcon sensor itself or Falcon Complete managed response operations performing ASEP modifications during sensor update cycles — these appear as AsepValueUpdate events from CrowdStrike-signed processes and can be filtered by SHA256HashData against CrowdStrike's known-good hash list
Windows in-place feature updates (e.g., 22H2 to 23H2) modifying authentication packages during the OS upgrade phase — generates a burst of legitimate ASEP changes from TrustedInstaller that coincide with the upgrade window
Third-party PAM solutions (BeyondTrust Password Safe, CyberArk Endpoint Privilege Manager, Delinea Secret Server) registering credential provider DLLs on managed endpoints during agent deployment — identifiable by consistent software-deployment parent process chains

Sigma rule & cross-platform mapping

The detection logic for Modify Authentication Process (T1556) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1556 Sigma rules on detection.fyi

Platform-specific guides for T1556

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Register Benign Password Filter DLL in LSA Notification Packages
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details contains 'df00tech-test-filter', Image=powershell.exe. Windows Security Event ID 4657 if SACL is configured on the LSA key. DeviceRegistryEvents in MDE: RegistryKey contains 'Notification Packages', RegistryValueData contains new DLL name, InitiatingProcessFileName=powershell.exe.
Test 2Register Fake Security Support Provider (SSP) in LSA Security Packages
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, Details appended with 'df00tech-test-ssp'. DeviceRegistryEvents: RegistryKey contains 'Security Packages', ActionType=RegistryValueSet. If system reboots, Security Event ID 4610 will fire listing the (missing) SSP DLL name — LSASS will generate an error in System event log.
Test 3Modify PAM Configuration to Permit Authentication Bypass on Linux
Expected signal: Linux auditd: syscall=openat/write on path=/etc/pam.d/sshd with auid=<attacker_uid> if auditd watches are configured (-w /etc/pam.d/ -p wa -k pam_modification). Syslog: process writing to /etc/pam.d/sshd. File integrity monitoring (AIDE, Tripwire) will alert on hash change to /etc/pam.d/sshd. DeviceFileEvents (for Linux onboarded to MDE): FileModified on /etc/pam.d/sshd.
Test 4Register Malicious Network Provider DLL via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Image=powershell.exe, Details contains appended provider name. DeviceRegistryEvents: RegistryKey contains 'NetworkProvider\Order', RegistryValueName='ProviderOrder', ActionType=RegistryValueSet.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0006Credential Access TA0005Defense Evasion TA0003Persistence

Sub-techniques (9)

Related Techniques

T1556.001Domain Controller Authentication T1556.002Password Filter DLL T1556.003Pluggable Authentication Modules T1556.004Network Device Authentication T1556.008Network Provider DLL T1003OS Credential Dumping T1547.005Security Support Provider T1574Hijack Execution Flow T1078Valid Accounts T1543Create or Modify System Process

Modify Authentication Process

What is T1556 Modify Authentication Process?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1556

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (9)

Related Techniques

Same Tactic: Credential Access

Popular Detections

What is T1556 Modify Authentication Process?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1556

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (9)

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox