Detect Modify Authentication Process in Google Chronicle
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on macOS systems. By modifying an authentication process, an adversary may authenticate to a service or system without using valid accounts, or may passively harvest credentials as users authenticate. Techniques include registering malicious password filter DLLs that receive plaintext passwords during every password change, injecting security support providers (SSPs) into LSASS to intercept credentials, installing skeleton keys to accept any password for domain accounts, modifying PAM stack configuration files to permit unauthorized access, and replacing legitimate authentication binaries with trojanized versions that exfiltrate credentials.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Canonical reference
- https://attack.mitre.org/techniques/T1556/
YARA-L Detection Query
rule t1556_lsa_registry_modification {
meta:
author = "Detection Engineering"
description = "T1556 - LSA authentication registry modification for credential interception. Covers Notification Packages (password filter DLLs), Security Packages (SSPs), Authentication Packages, NetworkProvider Order, GinaDLL, and Credential Providers keys."
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1556"
severity = "CRITICAL"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1556/"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
(
re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Notification Packages`) or
re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Security Packages`) or
re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\Authentication Packages`) or
re.regex($reg.target.registry.registry_key, `(?i)\\Control\\Lsa\\OSConfig`) or
re.regex($reg.target.registry.registry_key, `(?i)\\Control\\NetworkProvider\\Order`) or
re.regex($reg.target.registry.registry_key, `(?i)\\CurrentVersion\\Winlogon\\GinaDLL`) or
re.regex($reg.target.registry.registry_key, `(?i)\\CurrentVersion\\Authentication\\Credential Providers`)
)
not re.regex($reg.principal.process.file.full_path, `(?i)(TrustedInstaller\.exe|MsMpEng\.exe|msiexec\.exe|wuauclt\.exe|WindowsUpdateAgent\.exe)`)
condition:
$reg
}
rule t1556_lsass_unexpected_dll_load {
meta:
author = "Detection Engineering"
description = "T1556 - Unexpected DLL loaded by lsass.exe, indicative of SSP injection, in-memory password filter registration, or skeleton key implant. Filters known-good authentication DLL baseline."
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1556"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1556/"
events:
$load.metadata.event_type = "PROCESS_MODULE_LOAD"
re.regex($load.principal.process.file.full_path, `(?i)[/\\]lsass\.exe$`)
not re.regex($load.target.file.full_path, `(?i)(ntdll\.dll|kernel32\.dll|kernelbase\.dll|msvcrt\.dll|kerberos\.dll|msv1_0\.dll|wdigest\.dll|tspkg\.dll|pku2u\.dll|cloudap\.dll|schannel\.dll|cryptdll\.dll|samsrv\.dll|lsasrv\.dll|netlogon\.dll|ntlmshared\.dll|rassfm\.dll|svrt\.dll)$`)
condition:
$load
}Two Chronicle YARA-L 2.0 rules for T1556 using Google Security Operations UDM normalized event model. Rule 1 (t1556_lsa_registry_modification) matches REGISTRY_MODIFICATION events targeting all LSA authentication persistence paths, excluding known legitimate modifiers. Rule 2 (t1556_lsass_unexpected_dll_load) matches PROCESS_MODULE_LOAD events where lsass.exe loads a DLL not in the known-good baseline, covering in-memory SSP injection and password filter DLL loading without a registry change. Both rules use re.regex() with case-insensitive flags against UDM registry key and file path fields respectively.
Data Sources
Required Tables
False Positives & Tuning
- Microsoft Credential Guard or Virtualization-Based Security (VBS) initialization loading isolation shim DLLs into lsass.exe during the Windows secure boot sequence on Hyper-V or hardware VBS-enabled endpoints
- Domain controller promotion (dcpromo) or AD DS / AD LDS role installation modifying authentication packages and security packages as part of legitimate domain controller setup
- Enterprise PKI or certificate authority software (DigiCert, Entrust, ADCS) registering cryptographic service providers or minidriver DLLs into the LSA credential provider chain during initial deployment
Other platforms for T1556
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register Benign Password Filter DLL in LSA Notification Packages
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details contains 'df00tech-test-filter', Image=powershell.exe. Windows Security Event ID 4657 if SACL is configured on the LSA key. DeviceRegistryEvents in MDE: RegistryKey contains 'Notification Packages', RegistryValueData contains new DLL name, InitiatingProcessFileName=powershell.exe.
- Test 2Register Fake Security Support Provider (SSP) in LSA Security Packages
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, Details appended with 'df00tech-test-ssp'. DeviceRegistryEvents: RegistryKey contains 'Security Packages', ActionType=RegistryValueSet. If system reboots, Security Event ID 4610 will fire listing the (missing) SSP DLL name — LSASS will generate an error in System event log.
- Test 3Modify PAM Configuration to Permit Authentication Bypass on Linux
Expected signal: Linux auditd: syscall=openat/write on path=/etc/pam.d/sshd with auid=<attacker_uid> if auditd watches are configured (-w /etc/pam.d/ -p wa -k pam_modification). Syslog: process writing to /etc/pam.d/sshd. File integrity monitoring (AIDE, Tripwire) will alert on hash change to /etc/pam.d/sshd. DeviceFileEvents (for Linux onboarded to MDE): FileModified on /etc/pam.d/sshd.
- Test 4Register Malicious Network Provider DLL via Registry
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Image=powershell.exe, Details contains appended provider name. DeviceRegistryEvents: RegistryKey contains 'NetworkProvider\Order', RegistryValueName='ProviderOrder', ActionType=RegistryValueSet.
References (9)
- https://attack.mitre.org/techniques/T1556/
- https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
- https://xorrior.com/persistent-credential-theft/
- https://www.secureworks.com/research/skeleton-key-malware-analysis
- https://adsecurity.org/?p=2053
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_lsa_packages.yml
Unlock Pro Content
Get the full detection package for T1556 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (9)
- T1556.001Domain Controller Authentication
- T1556.002Password Filter DLL
- T1556.003Pluggable Authentication Modules
- T1556.004Network Device Authentication
- T1556.005Reversible Encryption
- T1556.006Multi-Factor Authentication
- T1556.007Hybrid Identity
- T1556.008Network Provider DLL
- T1556.009Conditional Access Policies