Modify Authentication Process (T1556)

View on ATT&CK

In Playbook

Associated Tactics

  • Credential Access
  • Defense Evasion
  • Persistence

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017. Clymb3r Function Hook Passwords Sept 2013
Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021. Xorrior Authorization Plugins
Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. Dell Skeleton
Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021. dump_pwd_dcsync
Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. TechNet Audit Policy