T1556 Microsoft Sentinel · KQL

Detect Modify Authentication Process in Microsoft Sentinel

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on macOS systems. By modifying an authentication process, an adversary may authenticate to a service or system without using valid accounts, or may passively harvest credentials as users authenticate. Techniques include registering malicious password filter DLLs that receive plaintext passwords during every password change, injecting security support providers (SSPs) into LSASS to intercept credentials, installing skeleton keys to accept any password for domain accounts, modifying PAM stack configuration files to permit unauthorized access, and replacing legitimate authentication binaries with trojanized versions that exfiltrate credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Canonical reference
https://attack.mitre.org/techniques/T1556/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1556: Modify Authentication Process
// Detects modifications to Windows LSA authentication registry keys used to register
// password filter DLLs, SSPs, auth packages, network providers, and GINA DLLs.
// These are the primary persistence paths for credential interception malware
// such as skeleton key (Secureworks), Ebury, Kessel, and SILENTTRINITY.
let LsaRegistryPaths = dynamic([
    "CurrentControlSet\\Control\\Lsa\\Notification Packages",
    "CurrentControlSet\\Control\\Lsa\\Security Packages",
    "CurrentControlSet\\Control\\Lsa\\Authentication Packages",
    "CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages",
    "CurrentControlSet\\Control\\NetworkProvider\\Order",
    "CurrentVersion\\Winlogon\\GinaDLL",
    "CurrentVersion\\Authentication\\Credential Providers"
]);
let TrustedModifiers = dynamic([
    "TrustedInstaller.exe", "MsMpEng.exe", "msiexec.exe",
    "wuauclt.exe", "WindowsUpdateAgent.exe", "svchost.exe"
]);
let LsaLoadEvents = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "lsass.exe"
| where not(FileName in~ (
    "ntdll.dll", "kernel32.dll", "kernelbase.dll", "msvcrt.dll",
    "kerberos.dll", "msv1_0.dll", "wdigest.dll", "tspkg.dll",
    "pku2u.dll", "cloudap.dll", "schannel.dll", "cryptdll.dll",
    "samsrv.dll", "lsasrv.dll", "netlogon.dll", "ntlmshared.dll"
))
| extend DetectionSource = "LsassUnexpectedDllLoad"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          DetectionType = "Unexpected DLL Load by LSASS",
          RegistryKey = "", RegistryValueName = "", RegistryValueData = "",
          DllName = FileName, DllPath = FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
let RegistryMods = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (LsaRegistryPaths)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where not(InitiatingProcessFileName has_any (TrustedModifiers))
| extend DetectionType = case(
    RegistryKey has "Notification Packages", "Password Filter DLL Registration",
    RegistryKey has "Security Packages" and not (RegistryKey has "OSConfig"), "Security Support Provider (SSP) Registration",
    RegistryKey has "Authentication Packages", "Authentication Package Registration",
    RegistryKey has "NetworkProvider", "Network Provider DLL Registration",
    RegistryKey has "GinaDLL", "GINA DLL Modification",
    RegistryKey has "Credential Providers", "Credential Provider Registration",
    "LSA Authentication Configuration Modification"
)
| project Timestamp, DeviceName, AccountName, DetectionType,
          RegistryKey, RegistryValueName, RegistryValueData,
          DllName = "", DllPath = "", SHA256 = "",
          InitiatingProcessFileName, InitiatingProcessCommandLine;
RegistryMods
| union LsaLoadEvents
| extend IsDomainController = DeviceName has_any ("DC", "PDC", "BDC", "RODC")
| sort by Timestamp desc
critical severity high confidence

Detects modifications to Windows LSA authentication configuration by monitoring two key signals: (1) registry writes to authentication-critical keys including LSA Notification Packages (password filters), Security Packages (SSPs), Authentication Packages, Network Provider Order, and GINA DLL paths, excluding known-good Windows system processes; and (2) unexpected DLL loads by the lsass.exe process from non-standard DLL names not part of the default Windows authentication package list. Together these cover the primary persistence mechanisms used by skeleton key malware, Ebury, Kessel, and SILENTTRINITY to intercept credentials. Domain controller detections are flagged separately given their elevated impact.

Data Sources

Registry: Registry Key ModificationModule: Module LoadProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceImageLoadEvents

False Positives & Tuning

  • Legitimate MFA solutions (Duo Security, Okta Verify, RSA SecurID) that install custom credential provider DLLs during initial setup — filter by InitiatingProcessFileName = msiexec.exe and correlate with change management tickets
  • Enterprise privileged access management tools (CyberArk, BeyondTrust, Centrify) that register authentication packages — build an allowlist of their specific DLL names
  • Windows Defender Credential Guard enabling LSA protection, which modifies LSA configuration keys — these changes come from svchost.exe or TrustedInstaller
  • Third-party VPN clients and smart card middleware that install network provider DLLs or credential providers as part of software installation
  • Password manager enterprise editions (LastPass Enterprise, 1Password Business) installing Windows credential provider extensions
Download portable Sigma rule (.yml)

Other platforms for T1556

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register Benign Password Filter DLL in LSA Notification Packages

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details contains 'df00tech-test-filter', Image=powershell.exe. Windows Security Event ID 4657 if SACL is configured on the LSA key. DeviceRegistryEvents in MDE: RegistryKey contains 'Notification Packages', RegistryValueData contains new DLL name, InitiatingProcessFileName=powershell.exe.

  2. Test 2Register Fake Security Support Provider (SSP) in LSA Security Packages

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, Details appended with 'df00tech-test-ssp'. DeviceRegistryEvents: RegistryKey contains 'Security Packages', ActionType=RegistryValueSet. If system reboots, Security Event ID 4610 will fire listing the (missing) SSP DLL name — LSASS will generate an error in System event log.

  3. Test 3Modify PAM Configuration to Permit Authentication Bypass on Linux

    Expected signal: Linux auditd: syscall=openat/write on path=/etc/pam.d/sshd with auid=<attacker_uid> if auditd watches are configured (-w /etc/pam.d/ -p wa -k pam_modification). Syslog: process writing to /etc/pam.d/sshd. File integrity monitoring (AIDE, Tripwire) will alert on hash change to /etc/pam.d/sshd. DeviceFileEvents (for Linux onboarded to MDE): FileModified on /etc/pam.d/sshd.

  4. Test 4Register Malicious Network Provider DLL via Registry

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Image=powershell.exe, Details contains appended provider name. DeviceRegistryEvents: RegistryKey contains 'NetworkProvider\Order', RegistryValueName='ProviderOrder', ActionType=RegistryValueSet.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (9)

Related Techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.008Network Provider DLLT1003OS Credential DumpingT1547.005Security Support ProviderT1574Hijack Execution FlowT1078Valid AccountsT1543Create or Modify System Process

Same Tactic: Credential Access

Popular Detections