title: Network Device Authentication (T1556.004)
id: df00tech-t1556-004
status: experimental
description: "Adversaries may patch network device operating systems to add a hardcoded backdoor password, bypassing normal authentication for local accounts on routers, switches, and VPN appliances. SYNful Knock implanted a backdoor password in Cisco IOS router images, checking if login credentials match the backdoor password before passing them to normal authentication. SLOWPULSE modified Pulse Secure LDAP and 2FA authentication to accept a designated attacker-supplied password. Detection relies on network configuration integrity checks and unusual authentication behavior."
references:
  - https://attack.mitre.org/techniques/T1556/004/
  - https://df00tech.com/detections/T1556.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate network administrators performing password rotation across multiple devices simultaneously
  - "Network monitoring tools (SolarWinds, PRTG, LibreNMS) using SNMP or SSH that generate authentication events during polling"
  - "Automated configuration management tools (Ansible, Netmiko) running playbooks against multiple devices"
  - Network device failover events causing brief authentication spike as backup devices come online
level: high