T1556 Sumo Logic CSE · Sumo

Detect Modify Authentication Process in Sumo Logic CSE

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on macOS systems. By modifying an authentication process, an adversary may authenticate to a service or system without using valid accounts, or may passively harvest credentials as users authenticate. Techniques include registering malicious password filter DLLs that receive plaintext passwords during every password change, injecting security support providers (SSPs) into LSASS to intercept credentials, installing skeleton keys to accept any password for domain accounts, modifying PAM stack configuration files to permit unauthorized access, and replacing legitimate authentication binaries with trojanized versions that exfiltrate credentials.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Canonical reference
https://attack.mitre.org/techniques/T1556/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=os/windows OR _sourceCategory=windows/sysmon OR _sourceCategory=wineventlog)
| parse regex "(?:EventCode|EventID)[=:\s>]+(?:<[^>]+>)?(?P<EventCode>\d+)" nodrop
| parse regex "(?:TargetObject|ObjectName)[=:\s>]+(?:<[^>]+>)?(?P<TargetObject>[^\n<]+)" nodrop
| parse regex "(?<!Loaded)(?:Image)[=:\s>]+(?:<[^>]+>)?(?P<Image>[^\n<]+)" nodrop
| parse regex "ImageLoaded[=:\s>]+(?:<[^>]+>)?(?P<ImageLoaded>[^\n<]+)" nodrop
| parse regex "(?:User|SubjectUserName)[=:\s>]+(?:<[^>]+>)?(?P<User>[^\n<]+)" nodrop
| where (
    (
      EventCode = "13" AND (
        TargetObject contains "\Control\Lsa\Notification Packages" OR
        TargetObject contains "\Control\Lsa\Security Packages" OR
        TargetObject contains "\Control\Lsa\Authentication Packages" OR
        TargetObject contains "\Control\Lsa\OSConfig" OR
        TargetObject contains "\Control\NetworkProvider\Order" OR
        TargetObject contains "\Winlogon\GinaDLL" OR
        TargetObject contains "\Authentication\Credential Providers"
      )
    )
    OR EventCode in ("4610", "4614")
    OR (
      EventCode = "7" AND
      Image matches "*lsass.exe" AND NOT (
        ImageLoaded matches "*\ntdll.dll" OR
        ImageLoaded matches "*\kernel32.dll" OR
        ImageLoaded matches "*\kernelbase.dll" OR
        ImageLoaded matches "*\kerberos.dll" OR
        ImageLoaded matches "*\msv1_0.dll" OR
        ImageLoaded matches "*\wdigest.dll" OR
        ImageLoaded matches "*\tspkg.dll" OR
        ImageLoaded matches "*\pku2u.dll" OR
        ImageLoaded matches "*\cloudap.dll" OR
        ImageLoaded matches "*\schannel.dll" OR
        ImageLoaded matches "*\cryptdll.dll" OR
        ImageLoaded matches "*\samsrv.dll" OR
        ImageLoaded matches "*\lsasrv.dll" OR
        ImageLoaded matches "*\netlogon.dll" OR
        ImageLoaded matches "*\ntlmshared.dll" OR
        ImageLoaded matches "*\msvcrt.dll"
      )
    )
  )
| where NOT (
    Image matches "*TrustedInstaller.exe" OR
    Image matches "*MsMpEng.exe" OR
    Image matches "*msiexec.exe" OR
    Image matches "*wuauclt.exe"
  )
| eval DetectionType = if(EventCode = "7", "Unexpected DLL Load by LSASS",
    if(EventCode in ("4610","4614"), "Authentication Package Loaded by LSA",
    if(TargetObject contains "Notification Packages", "Password Filter DLL Registration",
    if(TargetObject contains "Security Packages", "SSP Registration",
    if(TargetObject contains "Authentication Packages", "Authentication Package Registration",
    if(TargetObject contains "NetworkProvider", "Network Provider DLL Registration",
    if(TargetObject contains "GinaDLL", "GINA DLL Modification",
    "LSA Authentication Modification")))))))
| eval Severity = if(DetectionType in ("Password Filter DLL Registration", "SSP Registration", "GINA DLL Modification"), "Critical", "High")
| fields _messageTime, _sourceHost, User, DetectionType, Severity, EventCode, TargetObject, ImageLoaded, Image
| sort - _messageTime
critical severity high confidence

Sumo Logic detection for T1556 parsing Windows Event Log and Sysmon telemetry using regex field extraction from raw log data. Handles both XML-formatted Sysmon events and flat key=value Windows Security events. Detects Sysmon EventCode 13 (registry value set) modifications to all LSA credential interception paths, EventCode 7 (image load) for unexpected LSASS DLL loads, and Security EventID 4610/4614 for authentication and notification package loading by SAM/LSA. Adjust _sourceCategory values to match your Sumo Logic collector source configuration. For pre-parsed Sysmon events (e.g., via Sumo Logic app), field names may already be available without regex extraction.

Data Sources

Sumo Logic Installed Collector (Windows Event Log source)Sumo Logic Installed Collector (Sysmon operational log source)Sumo Logic Cloud Syslog for Windows Event Forwarding (WEF)

Required Tables

Sumo Logic partition containing Windows/Sysmon events (default or custom partition per _sourceCategory)

False Positives & Tuning

  • Software deployment tooling (SCCM, Intune, PDQ Deploy) using msiexec to install authentication-related software — msiexec is excluded by the NOT filter but installer child processes that write registry keys directly may not be
  • Antivirus or DLP products with credential inspection features loading monitoring hooks into lsass.exe — common in enterprise environments with Symantec DLP, Forcepoint DLP, or McAfee MVISION deployed to endpoints
  • Identity Provider integrations (Okta Verify, Azure AD Connect, Ping Identity, OneLogin) registering credential provider DLLs as part of enterprise SSO or passwordless authentication rollouts
Download portable Sigma rule (.yml)

Other platforms for T1556

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register Benign Password Filter DLL in LSA Notification Packages

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details contains 'df00tech-test-filter', Image=powershell.exe. Windows Security Event ID 4657 if SACL is configured on the LSA key. DeviceRegistryEvents in MDE: RegistryKey contains 'Notification Packages', RegistryValueData contains new DLL name, InitiatingProcessFileName=powershell.exe.

  2. Test 2Register Fake Security Support Provider (SSP) in LSA Security Packages

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, Details appended with 'df00tech-test-ssp'. DeviceRegistryEvents: RegistryKey contains 'Security Packages', ActionType=RegistryValueSet. If system reboots, Security Event ID 4610 will fire listing the (missing) SSP DLL name — LSASS will generate an error in System event log.

  3. Test 3Modify PAM Configuration to Permit Authentication Bypass on Linux

    Expected signal: Linux auditd: syscall=openat/write on path=/etc/pam.d/sshd with auid=<attacker_uid> if auditd watches are configured (-w /etc/pam.d/ -p wa -k pam_modification). Syslog: process writing to /etc/pam.d/sshd. File integrity monitoring (AIDE, Tripwire) will alert on hash change to /etc/pam.d/sshd. DeviceFileEvents (for Linux onboarded to MDE): FileModified on /etc/pam.d/sshd.

  4. Test 4Register Malicious Network Provider DLL via Registry

    Expected signal: Sysmon Event ID 13: TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Image=powershell.exe, Details contains appended provider name. DeviceRegistryEvents: RegistryKey contains 'NetworkProvider\Order', RegistryValueName='ProviderOrder', ActionType=RegistryValueSet.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (9)

Related Techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.008Network Provider DLLT1003OS Credential DumpingT1547.005Security Support ProviderT1574Hijack Execution FlowT1078Valid AccountsT1543Create or Modify System Process

Same Tactic: Credential Access

Popular Detections