T1556.004 Elastic Security · Elastic

Detect Network Device Authentication in Elastic Security

Adversaries may patch network device operating systems to add a hardcoded backdoor password, bypassing normal authentication for local accounts on routers, switches, and VPN appliances. SYNful Knock implanted a backdoor password in Cisco IOS router images, checking if login credentials match the backdoor password before passing them to normal authentication. SLOWPULSE modified Pulse Secure LDAP and 2FA authentication to accept a designated attacker-supplied password. Detection relies on network configuration integrity checks and unusual authentication behavior.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.004 Network Device Authentication
Canonical reference
https://attack.mitre.org/techniques/T1556/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, source.ip with maxspan=1h
  [authentication where
    event.outcome == "failure" and
    (
      event.dataset in ("cisco.ios", "cisco.asa", "juniper.junos", "palo_alto.firewall") or
      host.name : ("*router*", "*switch*", "*fw*", "*vpn*", "*asa*", "*ios*", "*junos*", "*nexus*", "*palo*") or
      log.syslog.facility.name in ("security", "auth", "authpriv")
    )
  ] with runs=5
  [authentication where
    event.outcome == "success" and
    (
      event.dataset in ("cisco.ios", "cisco.asa", "juniper.junos", "palo_alto.firewall") or
      host.name : ("*router*", "*switch*", "*fw*", "*vpn*", "*asa*", "*ios*", "*junos*", "*nexus*", "*palo*") or
      log.syslog.facility.name in ("security", "auth", "authpriv")
    )
  ]
high severity medium confidence

Detects potential hardcoded backdoor authentication on network devices (T1556.004) using an EQL sequence that requires 5+ authentication failures followed by a success from the same source IP against the same network device within a 1-hour window. This failure-then-success pattern is consistent with an attacker testing a backdoor credential after observing failed legitimate attempts, as documented with SYNful Knock (Cisco IOS) and SLOWPULSE (Pulse Secure). An alternative rule should separately flag clean-success anomalies (zero failures, many successes) using a threshold alert over this same filter for the no-prior-failures backdoor variant.

Data Sources

Filebeat Cisco IOS integration (logs-cisco.ios-*)Filebeat Cisco ASA integration (logs-cisco.asa-*)Filebeat Juniper JunOS integration (logs-juniper.junos-*)Filebeat Palo Alto Firewall integration (logs-palo_alto.firewall-*)Generic syslog via Filebeat with ECS normalization applied by ingest pipeline (filebeat-*)

Required Tables

logs-cisco.ios-*logs-cisco.asa-*logs-juniper.junos-*logs-palo_alto.firewall-*filebeat-*

False Positives & Tuning

  • Legitimate password rotation distributed late to network operations staff causes a burst of failures from the same admin workstation IP before a successful login with the newly issued credential, matching the runs=5 failure-then-success sequence.
  • Automated configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) authenticating with rotating service account credentials may generate multiple failure events before the updated credential is used, producing sequences that match the detection window.
  • Network engineers accessing devices after a PAM vault credential rotation will fail several times using a cached credential before retrieving the updated password from the vault and authenticating successfully, appearing identical to backdoor exploitation.
Download portable Sigma rule (.yml)

Other platforms for T1556.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Verify Cisco IOS Image Hash (Integrity Check)

    Expected signal: SSH authentication event in network device syslog. Network device syslog entry for privileged exec command execution. If syslog forwarding is configured, Splunk/Sentinel will capture the authentication and command events.

  2. Test 2Simulate Failed Network Device Authentication (Syslog Testing)

    Expected signal: Network device syslog entries: 'Authentication failed for user testuser from <IP>'. If forwarded to SIEM: Splunk index=network_syslog with authentication failure events. Five events in rapid succession should trigger the failure rate detection.

  3. Test 3Check Network Device Syslog Collection

    Expected signal: Test syslog message appearing in SIEM with source IP of the test host. The message mimics a Cisco IOS login success event and should match the network device authentication detection patterns.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1556.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1601.001Patch System ImageT1601Modify System ImageT1600.001Reduce Key SpaceT1110Brute ForceT1040Network Sniffing

Same Tactic: Credential Access

Popular Detections