title: Modify Authentication Process (T1556)
id: df00tech-t1556
status: experimental
description: "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on macOS systems. By modifying an authentication process, an adversary may authenticate to a service or system without using valid accounts, or may passively harvest credentials as users authenticate. Techniques include registering malicious password filter DLLs that receive plaintext passwords during every password change, injecting security support providers (SSPs) into LSASS to intercept credentials, installing skeleton keys to accept any password for domain accounts, modifying PAM stack configuration files to permit unauthorized access, and replacing legitimate authentication binaries with trojanized versions that exfiltrate credentials."
references:
  - https://attack.mitre.org/techniques/T1556/
  - https://df00tech.com/detections/T1556
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate MFA solutions (Duo Security, Okta Verify, RSA SecurID) that install custom credential provider DLLs during initial setup — filter by InitiatingProcessFileName = msiexec.exe and correlate with change management tickets"
  - "Enterprise privileged access management tools (CyberArk, BeyondTrust, Centrify) that register authentication packages — build an allowlist of their specific DLL names"
  - "Windows Defender Credential Guard enabling LSA protection, which modifies LSA configuration keys — these changes come from svchost.exe or TrustedInstaller"
  - Third-party VPN clients and smart card middleware that install network provider DLLs or credential providers as part of software installation
  - "Password manager enterprise editions (LastPass Enterprise, 1Password Business) installing Windows credential provider extensions"
level: critical