T1556.004

Network Device Authentication

Credential Access Defense Evasion Persistence

Adversaries may patch network device operating systems to add a hardcoded backdoor password, bypassing normal authentication for local accounts on routers, switches, and VPN appliances. SYNful Knock implanted a backdoor password in Cisco IOS router images, checking if login credentials match the backdoor password before passing them to normal authentication. SLOWPULSE modified Pulse Secure LDAP and 2FA authentication to accept a designated attacker-supplied password. Detection relies on network configuration integrity checks and unusual authentication behavior.

Microsoft Sentinel / Defender

kusto

// Network device authentication anomalies via syslog forwarded to Sentinel
Syslog
| where TimeGenerated > ago(24h)
| where Facility == "security" or SeverityLevel in ("warning", "error", "alert", "emergency")
| where SyslogMessage has_any (
    "Authentication succeeded", "login successful", "accepted",
    "incorrect password", "authentication failed"
  )
| where HostName has_any ("router", "switch", "fw", "vpn", "asa", "ios", "junos", "nexus", "palo")
   or SourceSystem == "Syslog"
| extend AuthResult = case(
    SyslogMessage has_any ("succeeded", "successful", "accepted"), "SUCCESS",
    SyslogMessage has_any ("failed", "incorrect", "denied"), "FAILURE",
    "UNKNOWN"
  )
| summarize TotalEvents=count(), Successes=countif(AuthResult=="SUCCESS"),
            Failures=countif(AuthResult=="FAILURE"), UniqueUsers=dcount(ProcessName)
          by HostName, Computer, bin(TimeGenerated, 1h)
| where Failures > 10 or (Successes > 5 and Failures == 0)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Authentication: Authentication Logs Syslog from network devices

Required Tables

Syslog CommonSecurityLog

False Positives

Legitimate network administrators performing password rotation across multiple devices simultaneously
Network monitoring tools (SolarWinds, PRTG, LibreNMS) using SNMP or SSH that generate authentication events during polling
Automated configuration management tools (Ansible, Netmiko) running playbooks against multiple devices
Network device failover events causing brief authentication spike as backup devices come online

Elastic Security (EQL)

eql

sequence by host.name, source.ip with maxspan=1h
  [authentication where
    event.outcome == "failure" and
    (
      event.dataset in ("cisco.ios", "cisco.asa", "juniper.junos", "palo_alto.firewall") or
      host.name : ("*router*", "*switch*", "*fw*", "*vpn*", "*asa*", "*ios*", "*junos*", "*nexus*", "*palo*") or
      log.syslog.facility.name in ("security", "auth", "authpriv")
    )
  ] with runs=5
  [authentication where
    event.outcome == "success" and
    (
      event.dataset in ("cisco.ios", "cisco.asa", "juniper.junos", "palo_alto.firewall") or
      host.name : ("*router*", "*switch*", "*fw*", "*vpn*", "*asa*", "*ios*", "*junos*", "*nexus*", "*palo*") or
      log.syslog.facility.name in ("security", "auth", "authpriv")
    )
  ]

high severity medium confidence

Data Sources

Filebeat Cisco IOS integration (logs-cisco.ios-*) Filebeat Cisco ASA integration (logs-cisco.asa-*) Filebeat Juniper JunOS integration (logs-juniper.junos-*) Filebeat Palo Alto Firewall integration (logs-palo_alto.firewall-*) Generic syslog via Filebeat with ECS normalization applied by ingest pipeline (filebeat-*)

Required Tables

logs-cisco.ios-* logs-cisco.asa-* logs-juniper.junos-* logs-palo_alto.firewall-* filebeat-*

False Positives

Legitimate password rotation distributed late to network operations staff causes a burst of failures from the same admin workstation IP before a successful login with the newly issued credential, matching the runs=5 failure-then-success sequence.
Automated configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) authenticating with rotating service account credentials may generate multiple failure events before the updated credential is used, producing sequences that match the detection window.
Network engineers accessing devices after a PAM vault credential rotation will fail several times using a cached credential before retrieving the updated password from the vault and authenticating successfully, appearing identical to backdoor exploitation.

IBM QRadar (AQL)

sql

SELECT
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS src_ip,
  username,
  COUNT(*) AS total_events,
  SUM(CASE WHEN LOWER(payload) LIKE '%authentication succeeded%'
               OR LOWER(payload) LIKE '%login successful%'
               OR LOWER(payload) LIKE '%accepted password%'
               OR LOWER(payload) LIKE '%authenticated%' THEN 1 ELSE 0 END) AS successes,
  SUM(CASE WHEN LOWER(payload) LIKE '%authentication failed%'
               OR LOWER(payload) LIKE '%incorrect password%'
               OR LOWER(payload) LIKE '%bad password%'
               OR LOWER(payload) LIKE '%login failed%'
               OR LOWER(payload) LIKE '%access denied%' THEN 1 ELSE 0 END) AS failures,
  DATEFORMAT(TRUNCATE(starttime, 'hour'), 'yyyy-MM-dd HH:mm') AS hour_bucket
FROM events
WHERE LOGSOURCETYPEID IN (
  SELECT id FROM logsourcetypes
  WHERE name IN ('Cisco IOS', 'Cisco ASA', 'Juniper JunOS', 'Palo Alto PA Series', 'Palo Alto Firewall')
)
AND (
  LOWER(payload) LIKE '%authentication%'
  OR LOWER(payload) LIKE '%login%'
  OR LOWER(payload) LIKE '%password%'
)
GROUP BY
  logsourceid,
  sourceip,
  username,
  TRUNCATE(starttime, 'hour')
HAVING
  SUM(CASE WHEN LOWER(payload) LIKE '%authentication failed%'
               OR LOWER(payload) LIKE '%incorrect password%'
               OR LOWER(payload) LIKE '%bad password%'
               OR LOWER(payload) LIKE '%login failed%'
               OR LOWER(payload) LIKE '%access denied%' THEN 1 ELSE 0 END) > 5
  OR (
    SUM(CASE WHEN LOWER(payload) LIKE '%authentication succeeded%'
                 OR LOWER(payload) LIKE '%login successful%'
                 OR LOWER(payload) LIKE '%accepted password%'
                 OR LOWER(payload) LIKE '%authenticated%' THEN 1 ELSE 0 END) > 5
    AND SUM(CASE WHEN LOWER(payload) LIKE '%authentication failed%'
                     OR LOWER(payload) LIKE '%incorrect password%'
                     OR LOWER(payload) LIKE '%bad password%'
                     OR LOWER(payload) LIKE '%login failed%'
                     OR LOWER(payload) LIKE '%access denied%' THEN 1 ELSE 0 END) = 0
  )
ORDER BY failures DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Log Source: Cisco IOS QRadar Log Source: Cisco ASA QRadar Log Source: Juniper JunOS QRadar Log Source: Palo Alto PA Series Firewall QRadar Log Source: Generic Syslog with network device hostnames

Required Tables

events logsourcetypes

False Positives

TACACS+ or RADIUS proxy servers aggregating authentication on behalf of multiple users appear as a single high-volume sourceip with mixed success/failure ratios; if the proxy's IP is logged as the source rather than the client workstation, legitimate enterprise AAA traffic may trigger the failure threshold.
Network management platforms (Cisco DNA Center, SolarWinds NPM, HP IMC) performing scheduled credential verification or device onboarding generate consistent success-heavy authentication bursts that match the clean-success heuristic.
QRadar's LOGSOURCETYPEID lookup depends on accurate log source classification during initial configuration; improperly typed sources (e.g., a firewall classified as generic syslog) will be excluded from this query, creating coverage gaps rather than false positives, but miscategorised non-network devices may be included.

Sumo Logic CSE

sql

(_sourceCategory=network/syslog OR _sourceCategory=cisco* OR _sourceCategory=juniper* OR _sourceCategory=paloalto* OR _sourceCategory=fortinet*)
| where _sourceHost matches "*router*"
  OR _sourceHost matches "*switch*"
  OR _sourceHost matches "*fw*"
  OR _sourceHost matches "*vpn*"
  OR _sourceHost matches "*asa*"
  OR _sourceHost matches "*ios*"
  OR _sourceHost matches "*junos*"
  OR _sourceHost matches "*nexus*"
  OR _sourceHost matches "*palo*"
  OR _sourceCategory matches "*cisco*"
  OR _sourceCategory matches "*juniper*"
  OR _sourceCategory matches "*paloalto*"
| parse regex "(?:from|srcip?)[\s=]+(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "(?:user|username|for)[\s=]+(?P<username>[\w@.\-]+)" nodrop
| if (matches(_raw, "(?i)(authentication succeeded|login successful|accepted password|authenticated|login accepted)"), "SUCCESS",
    if (matches(_raw, "(?i)(authentication failed|incorrect password|bad password|login failed|access denied|auth failure)"), "FAILURE", "OTHER")) as auth_result
| where auth_result in ("SUCCESS", "FAILURE")
| timeslice 1h
| count as events, countif(auth_result="SUCCESS") as successes, countif(auth_result="FAILURE") as failures, dcount(username) as unique_users by _timeslice, _sourceHost, src_ip
| where failures > 5 or (successes > 5 and failures == 0) or (unique_users > 3 and successes > 0 and failures == 0)
| sort by failures desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Syslog source (UDP/TCP 514) receiving from Cisco IOS/ASA devices Sumo Logic Installed Collector for Juniper JunOS syslog Sumo Logic HTTP Source or syslog relay for Palo Alto Firewall logs Sumo Logic Installed Collector for Fortinet FortiGate syslog Source categories must be configured to match the _sourceCategory patterns used in the query

Required Tables

_sourceCategory=network/syslog _sourceCategory=cisco* _sourceCategory=juniper* _sourceCategory=paloalto* _sourceCategory=fortinet*

False Positives

Syslog relay or aggregation servers appearing as a single _sourceHost may conflate authentication events from many physical devices, causing the unique_users and successes thresholds to fire against the relay host IP rather than a compromised network appliance.
Automated network configuration backup tools (RANCID, Oxidized, Cisco DNA Center) authenticating on a fixed schedule to pull running configs generate consistent clean-success authentication streams (many successes, zero failures) that precisely match the backdoor heuristic.
VPN concentrators and remote-access appliances serving high concurrent user volumes during peak hours generate legitimate bursts of authentication failures from users mistyping credentials, followed by success on retry, readily exceeding the failures > 5 per timeslice threshold.

Google Chronicle / SecOps

yaral

rule t1556_004_network_device_auth_backdoor {
  meta:
    author = "Detection Engineering"
    description = "Detects potential hardcoded backdoor authentication on network devices per T1556.004. Flags devices with more than 5 auth failures per hour or suspicious clean-success auth patterns with zero failures, consistent with SYNful Knock (Cisco IOS) and SLOWPULSE (Pulse Secure) implant behavior."
    mitre_attack_tactic = "Defense Evasion, Persistence, Credential Access"
    mitre_attack_technique = "T1556.004"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1556/004/"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    (
      $e.principal.hostname /(?i)(router|switch|fw|vpn|asa|ios|junos|nexus|palo|fortigate|srx|mx[0-9])/ or
      $e.metadata.product_name /(?i)(cisco|juniper|palo alto|fortinet|f5|checkpoint)/ or
      $e.metadata.vendor_name /(?i)(cisco|juniper networks|palo alto networks|fortinet)/
    )
    (
      $e.security_result.action = "ALLOW" or
      $e.security_result.action = "BLOCK"
    )
    $host = $e.principal.hostname
    $src  = $e.principal.ip

  match:
    $host, $src over 1h

  outcome:
    $success_count = count_distinct($e.metadata.id) if $e.security_result.action = "ALLOW"
    $failure_count = count_distinct($e.metadata.id) if $e.security_result.action = "BLOCK"
    $unique_users  = count_distinct($e.principal.user.userid)

  condition:
    $e and (
      $failure_count > 5
      or ($success_count > 5 and $failure_count = 0)
      or ($unique_users > 3 and $success_count > 0 and $failure_count = 0)
    )
}

high severity medium confidence

Data Sources

Chronicle SIEM Forwarder ingesting Cisco IOS/ASA syslog with UDM normalization Chronicle SIEM Juniper JunOS parser (syslog or API-based ingestion) Chronicle SIEM Palo Alto Networks parser (Panorama or direct device syslog) Chronicle SIEM Fortinet FortiGate parser UDM normalization pipeline must map authentication outcomes to security_result.action ALLOW/BLOCK and set metadata.event_type to USER_LOGIN

Required Tables

USER_LOGIN UDM event type principal.hostname principal.ip principal.user.userid security_result.action metadata.product_name metadata.vendor_name metadata.event_type

False Positives

Chronicle UDM normalization may map TACACS+ proxy pass-through authentication records and direct device login events to the same USER_LOGIN type with the AAA proxy's IP as principal.ip, causing legitimate TACACS infrastructure to appear as a high-success source triggering the clean-success condition.
Network devices that emit repeated authentication events for background system processes, SNMP polling authentication, or BGP/routing-protocol peer session re-establishments may produce dense success-only event streams that match the $success_count > 5 and $failure_count = 0 condition.
During planned network OS upgrades or bulk configuration pushes via automation pipelines, the management orchestrator may authenticate to dozens of devices per minute from a single IP, and the $unique_users > 3 condition may fire if multiple service accounts are used across the push.

CrowdStrike LogScale (CQL)

cql

// T1556.004 - Network Device Authentication Backdoor Detection
// Requires syslog ingestion from network devices into LogScale repository
#repo=main #kind=syslog
| sourcetype = /(?i)(cisco[._:]ios|cisco[._:]asa|juniper[._:]junos|paloalto[._:]firewall|fortinet[._:]fortigate)/
  OR ComputerName = /(?i)(router|switch|fw|vpn|asa|junos|nexus|palo|fortigate)/
| case {
    message = /(?i)(authentication succeeded|login successful|accepted password|authenticated|login accepted)/
      | auth_result := "SUCCESS";
    message = /(?i)(authentication failed|incorrect password|bad password|login failed|access denied|auth failure)/
      | auth_result := "FAILURE";
    * | auth_result := "OTHER";
  }
| auth_result != "OTHER"
| regex(field=message, regex="(?:from|srcip?)[\\s=]+(?P<src_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})", flags=i)
| default(field=src_ip, value="unknown")
| regex(field=message, regex="(?:user|username|for)[\\s=]+(?P<username>[\\w@.\\-]+)", flags=i)
| default(field=username, value="unknown")
| bucket(span=1h)
| groupBy([ComputerName, src_ip, _bucket], function=[
    count(as=total_events),
    count(filter=auth_result=="SUCCESS", as=successes),
    count(filter=auth_result=="FAILURE", as=failures),
    count(distinct=username, as=unique_users)
  ])
| where failures > 5
  OR (successes > 5 AND failures == 0)
  OR (unique_users > 3 AND successes > 0 AND failures == 0)
| sort(failures, order=desc)

high severity medium confidence

Data Sources

LogScale Collector or syslog forwarder ingesting Cisco IOS/ASA syslog (sourcetype=cisco.ios or cisco.asa) LogScale Collector for Juniper JunOS syslog (sourcetype=juniper.junos) LogScale Collector for Palo Alto Firewall syslog (sourcetype=paloalto.firewall) LogScale Collector for Fortinet FortiGate syslog (sourcetype=fortinet.fortigate) Syslog data must be in #repo=main with #kind=syslog tag applied at ingestion time

Required Tables

LogScale repository: #repo=main #kind=syslog message field (raw syslog payload) ComputerName field (source device hostname assigned at ingestion) sourcetype field (log source classification tag) @timestamp field (event timestamp used by bucket())

False Positives

LogScale sourcetype classification depends on correct tagging at ingestion; devices not matching the sourcetype regex but with ambiguous ComputerName values may be excluded (coverage gap) or incorrectly included if a non-network host has a hostname containing 'fw' or 'vpn' as a substring.
Network management systems or observability platforms (Grafana, Prometheus exporters, SolarWinds) that use HTTP basic auth or device API polling will generate frequent success-only authentication bursts matching the successes > 5 AND failures == 0 condition if their polling credentials are logged as authentication events.
TACACS+ or RADIUS servers forwarding consolidated authentication logs to LogScale may appear as a single ComputerName with a high unique_users count and zero failures, precisely matching the multi-user clean-success threshold when in fact all authentications are legitimate enterprise logins routed through a central AAA service.

Last updated: 2026-04-13 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1556.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller Authentication T1556.002Password Filter DLL T1556.003Pluggable Authentication Modules T1556.005Reversible Encryption T1556.006Multi-Factor Authentication T1556.007Hybrid Identity T1556.008Network Provider DLL T1556.009Conditional Access Policies

Network Device Authentication

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections