T1556 IBM QRadar · QRadar

Detect Modify Authentication Process in IBM QRadar

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on macOS systems. By modifying an authentication process, an adversary may authenticate to a service or system without using valid accounts, or may passively harvest credentials as users authenticate. Techniques include registering malicious password filter DLLs that receive plaintext passwords during every password change, injecting security support providers (SSPs) into LSASS to intercept credentials, installing skeleton keys to accept any password for domain accounts, modifying PAM stack configuration files to permit unauthorized access, and replacing legitimate authentication binaries with trojanized versions that exfiltrate credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Canonical reference
https://attack.mitre.org/techniques/T1556/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  eventid AS EventID,
  "TargetObject" AS RegistryPath,
  "Image" AS InitiatingProcess,
  "ImageLoaded" AS LoadedDLL,
  CASE
    WHEN eventid = 7 THEN 'Unexpected DLL Load by LSASS'
    WHEN eventid IN (4610, 4614) THEN 'Authentication Package Loaded by SAM/LSA'
    WHEN "TargetObject" ILIKE '%Notification Packages%' THEN 'Password Filter DLL Registration'
    WHEN "TargetObject" ILIKE '%Security Packages%' AND "TargetObject" NOT ILIKE '%OSConfig%' THEN 'SSP Registration'
    WHEN "TargetObject" ILIKE '%Authentication Packages%' THEN 'Authentication Package Registration'
    WHEN "TargetObject" ILIKE '%NetworkProvider%' THEN 'Network Provider DLL Registration'
    WHEN "TargetObject" ILIKE '%GinaDLL%' THEN 'GINA DLL Modification'
    WHEN "TargetObject" ILIKE '%Credential Providers%' THEN 'Credential Provider Registration'
    ELSE 'LSA Authentication Configuration Modification'
  END AS DetectionType,
  CASE
    WHEN "TargetObject" ILIKE '%Notification Packages%' THEN 'Critical'
    WHEN "TargetObject" ILIKE '%Security Packages%' THEN 'Critical'
    WHEN "TargetObject" ILIKE '%GinaDLL%' THEN 'Critical'
    ELSE 'High'
  END AS Severity
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    (
      eventid = 13
      AND (
        "TargetObject" ILIKE '%\Control\Lsa\Notification Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\Security Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\Authentication Packages%'
        OR "TargetObject" ILIKE '%\Control\Lsa\OSConfig\Security Packages%'
        OR "TargetObject" ILIKE '%\Control\NetworkProvider\Order%'
        OR "TargetObject" ILIKE '%\CurrentVersion\Winlogon\GinaDLL%'
        OR "TargetObject" ILIKE '%\CurrentVersion\Authentication\Credential Providers%'
      )
      AND "Image" NOT ILIKE '%TrustedInstaller.exe'
      AND "Image" NOT ILIKE '%MsMpEng.exe'
      AND "Image" NOT ILIKE '%msiexec.exe'
      AND "Image" NOT ILIKE '%wuauclt.exe'
    )
    OR (
      eventid IN (4610, 4614)
    )
    OR (
      eventid = 7
      AND "Image" ILIKE '%lsass.exe'
      AND "ImageLoaded" NOT ILIKE '%\ntdll.dll'
      AND "ImageLoaded" NOT ILIKE '%\kernel32.dll'
      AND "ImageLoaded" NOT ILIKE '%\kernelbase.dll'
      AND "ImageLoaded" NOT ILIKE '%\kerberos.dll'
      AND "ImageLoaded" NOT ILIKE '%\msv1_0.dll'
      AND "ImageLoaded" NOT ILIKE '%\wdigest.dll'
      AND "ImageLoaded" NOT ILIKE '%\tspkg.dll'
      AND "ImageLoaded" NOT ILIKE '%\pku2u.dll'
      AND "ImageLoaded" NOT ILIKE '%\cloudap.dll'
      AND "ImageLoaded" NOT ILIKE '%\schannel.dll'
      AND "ImageLoaded" NOT ILIKE '%\cryptdll.dll'
      AND "ImageLoaded" NOT ILIKE '%\samsrv.dll'
      AND "ImageLoaded" NOT ILIKE '%\lsasrv.dll'
      AND "ImageLoaded" NOT ILIKE '%\netlogon.dll'
      AND "ImageLoaded" NOT ILIKE '%\ntlmshared.dll'
      AND "ImageLoaded" NOT ILIKE '%\msvcrt.dll'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS
critical severity high confidence

QRadar AQL detection for T1556 querying Sysmon (EventCode 13 registry value set, EventCode 7 image load) and Windows Security (EventID 4610 authentication package load, 4614 notification package load) log sources. Identifies modifications to all LSA credential interception persistence paths and unexpected DLLs loaded by lsass.exe. Requires QRadar DSM custom properties configured to extract TargetObject, Image, and ImageLoaded from Sysmon XML payloads. Uses ILIKE for case-insensitive path matching across all registry key path variations.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Microsoft Sysmon (QRadar custom DSM or Universal DSM)Snare for Windows (fallback for environments without Sysmon)

Required Tables

events

False Positives & Tuning

  • Windows Update or WSUS pushing authentication provider updates via TrustedInstaller or wuauclt — the NOT filter excludes these processes but watch for unusual update timing outside maintenance windows
  • Domain-joined systems receiving GPO-deployed authentication packages during domain setup or policy refresh — Kerberos extensions, smart card middleware, and DirectAccess components can all trigger legitimate LSA key writes
  • Security product installation or major version upgrades (endpoint DLP, PAM agents, CASB proxies) that register credential provider DLLs for credential capture or SSO interception features
Download portable Sigma rule (.yml)

Other platforms for T1556

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register Benign Password Filter DLL in LSA Notification Packages

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details contains 'df00tech-test-filter', Image=powershell.exe. Windows Security Event ID 4657 if SACL is configured on the LSA key. DeviceRegistryEvents in MDE: RegistryKey contains 'Notification Packages', RegistryValueData contains new DLL name, InitiatingProcessFileName=powershell.exe.

  2. Test 2Register Fake Security Support Provider (SSP) in LSA Security Packages

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, Details appended with 'df00tech-test-ssp'. DeviceRegistryEvents: RegistryKey contains 'Security Packages', ActionType=RegistryValueSet. If system reboots, Security Event ID 4610 will fire listing the (missing) SSP DLL name — LSASS will generate an error in System event log.

  3. Test 3Modify PAM Configuration to Permit Authentication Bypass on Linux

    Expected signal: Linux auditd: syscall=openat/write on path=/etc/pam.d/sshd with auid=<attacker_uid> if auditd watches are configured (-w /etc/pam.d/ -p wa -k pam_modification). Syslog: process writing to /etc/pam.d/sshd. File integrity monitoring (AIDE, Tripwire) will alert on hash change to /etc/pam.d/sshd. DeviceFileEvents (for Linux onboarded to MDE): FileModified on /etc/pam.d/sshd.

  4. Test 4Register Malicious Network Provider DLL via Registry

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Image=powershell.exe, Details contains appended provider name. DeviceRegistryEvents: RegistryKey contains 'NetworkProvider\Order', RegistryValueName='ProviderOrder', ActionType=RegistryValueSet.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (9)

Related Techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.008Network Provider DLLT1003OS Credential DumpingT1547.005Security Support ProviderT1574Hijack Execution FlowT1078Valid AccountsT1543Create or Modify System Process

Same Tactic: Credential Access

Popular Detections