Skip to content

Modify Authentication Process

What is "Modify Authentication Process"?

Modify Authentication Process is a technique identified under the MITRE ATT&CK framework, specifically categorized under Credential Access. This technique involves an adversary making alterations to the authentication process within a system to bypass or weaken security measures, allowing unauthorized access or elevating privileges without valid credentials.

How is the "Modify Authentication Process" executed?

  1. Patch System Binaries: The attacker modifies system binaries related to authentication, such as sshd on Unix systems or lsass.exe on Windows systems. For example, replacing the binary with a modified version that does not verify passwords correctly.

  2. Manipulate Configuration Files: Altering configuration files to change authentication settings. For instance, modifying the sshd_config file in Unix to enable password-less SSH logins.

  3. DLL Injection: Injecting malicious dynamic link libraries (DLLs) that intercept and manipulate calls to authentication functions in applications.

  4. Memory Patching: Directly modifying memory of running processes related to authentication using techniques like hooking or patching function calls to bypass password checks.

  5. Replacing Authentication Modules: Swapping legitimate authentication modules with rogue ones that can authenticate using attacker-defined credentials or rules.

Where does "Modify Authentication Process" typically occur?

This technique can be applied at multiple layers within an IT environment:

  • Operating System Level: Modifying OS components that handle user authentication.
  • Application Level: Targeting specific applications' authentication mechanisms, such as web applications or databases.
  • Network Level: Intercepting and altering network traffic associated with authentication processes, potentially via man-in-the-middle attacks.

Why use "Modify Authentication Process"?

The primary motivations for employing this technique include:

  • Bypassing Security Controls: To gain unauthorized access without needing legitimate credentials.
  • Elevation of Privileges: To obtain higher-level permissions than those granted by user credentials.
  • Persistence: Ensuring continued access by creating backdoors in the authentication process.
  • Lateral Movement: Facilitating movement within a network by bypassing local authentication mechanisms on multiple systems.

This approach is particularly effective in environments where direct credential theft is difficult due to strong security policies and monitoring but where system integrity checks are weaker. It allows attackers sustained and stealthy access, making it a potent threat in sophisticated cyber attacks.