Modify Authentication Process: Network Device Authentication

Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.

Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.[1]

ID: T1556.004
Sub-technique of:  T1556
Platforms: Network
Permissions Required: Administrator
Version: 2.0
Created: 19 October 2020
Last Modified: 14 December 2021

Procedure Examples

ID Name Description
S1104 SLOWPULSE

SLOWPULSE can modify LDAP and two factor authentication flows by inspecting login credentials and forcing successful authentication if the provided password matches a chosen backdoor password.[2]

S0519 SYNful Knock

SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.[1]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. [3]

M1026 Privileged Account Management

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

Detection

ID Data Source Data Component Detects
DS0022 File File Modification

Monitor for changes made to the checksum of the operating system file and verifying the image of the operating system in memory.[4][5] Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as Modify System Image.

References