authentication.dll

  • File Path: C:\Windows\system32\authentication.dll
  • Description: Authentication

Hashes

Type Hash
MD5 51D051FECAE94C645E4473DD93D86D87
SHA1 F5F321A0A0127FDC75281125250B6F6D558F2742
SHA256 D123DDBA77CC0B84C355457D71EDAD5586783F62E87F016C1C002F5DEECEB9D6
SHA384 444BB8F2473ADBD247F74449CAD477AD4B10AE0AD1AB76A8D2837CEB22065B9724DA1EC4E1CC27010BA8156A8A4BE00F
SHA512 CFFE9B19485FBEBD27C5D95ADAD6902BD39E4A2BF824EA0A63E33B40A5E7FE7BDA1B84955295A0A2B538846720AEFE0EB6E9F49594401B4C2FF58E4263B4D01F
SSDEEP 1536:mXJr9d/oMBLgQoDKrhj8kQSA88cxynslWZv3:4HoELgQjhjXyslI3
IMP 21A9B4B7BC6547458B49EF86D8C15D9E
PESHA1 68715897DAAF6D6CB57FA505037AEF779F7DB341
PE256 17CCC3D76445D2231ED0CB5DEAA27791FFDDC95EA2113D83567649901E2B0613

DLL Exports:

Function Name Ordinal Type
GetAccountType 1 Exported Function
RequestTicketWithoutWindow 3 Exported Function
RequestTicketWithWindow 2 Exported Function
AuthzGetAccountType 4 Exported Function
AuthzRequestTicketWithoutWindow 6 Exported Function
AuthzRequestTicketWithWindow 5 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Authentication.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/d123ddba77cc0b84c355457d71edad5586783f62e87f016c1c002f5deeceb9d6/detection/

Possible Misuse

The following table contains possible examples of authentication.dll being misused. While authentication.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma cleartext_protocols.yml description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption DRL 1.0
sigma generic_brute_force.yml description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity DRL 1.0
sigma generic_brute_force.yml category: authentication DRL 1.0
sigma lnx_susp_failed_logons_single_source.yml pam_message: authentication failure DRL 1.0
sigma cisco_cli_local_accounts.yml description: Find local accounts being created or modified as well as remote authentication configurations DRL 1.0
sigma cisco_cli_local_accounts.yml - When remote authentication is in place, this should not change often DRL 1.0
sigma zeek-dce_rpc_domain_user_enumeration.yml - Devices that may do authentication like a VPN or a firewall that looksup IPs to username DRL 1.0
sigma web_solarwinds_cve_2020_10148.yml description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts DRL 1.0
sigma win_metasploit_authentication.yml title: Metasploit SMB Authentication DRL 1.0
sigma win_susp_failed_logon_reasons.yml - '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine DRL 1.0
sigma sysmon_abusing_azure_browser_sso.yml description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. DRL 1.0
malware-ioc misp-dukes-operation-ghost-event.json "Authentication logs", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.", © ESET 2014-2018
malware-ioc misp_invisimole.json "Authentication logs", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.\n\nDetection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe<\/code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe<\/code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\\System32\\Tasks<\/code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler\/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)\n\n*Event ID 106 - Scheduled task registered\n*Event ID 140 - Scheduled task updated\n*Event ID 141 - Scheduled task removed\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs\n\nEffective Permissions: Administrator, SYSTEM, User\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: Yes\n\nContributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security", © ESET 2014-2018
malware-ioc misp-powerpool.json "description": "Pass the hash (PtH)[[Citation: Aorato PTH]] is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a [[Credential Access]] technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. \n\nWindows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.[[Citation: NSA Spotting]]\n\nDetection: Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Authentication logs", © ESET 2014-2018
malware-ioc misp-powerpool.json "Authentication logs" © ESET 2014-2018
malware-ioc sshdoor.yar $log = "Could not open a connection to your authentication agent.\n" © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nAdversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful. \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)\n\nDetection: Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Authentication logs, Process monitoring\n\nEffective Permissions: User, Administrator\n\nDefense Bypassed: Anti-virus, Firewall, Host intrusion prevention systems, Network intrusion detection system, Process whitelisting, System access controls\n\nPermissions Required: User, Administrator", © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "Authentication logs", © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Adversaries may target user email to collect sensitive information from a target.\n\nFiles containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.\n\nAdversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.\n\nSome adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.\n\nDetection: There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows\n\nData Sources: Authentication logs, File monitoring, Process monitoring, Process use of network", © ESET 2014-2018
malware-ioc misp-turla-outlook-event.json "description": "Adversaries may target user email to collect sensitive information from a target.\n\nFiles containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.\n\nAdversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.\n\nSome adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.\n\nDetection: There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Authentication logs, File monitoring, Process monitoring, Process use of network", © ESET 2014-2018
malware-ioc misp-turla-outlook-event.json "Authentication logs", © ESET 2014-2018
malware-ioc skip20_sqllang_hook.yar description = "YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication." © ESET 2014-2018
atomic-red-team index.md - T1547.002 Authentication Package CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1556.001 Domain Controller Authentication CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1187 Forced Authentication CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1556 Modify Authentication Process CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1556.004 Network Device Authentication CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1111 Two-Factor Authentication Interception CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - T1550 Use Alternate Authentication Material CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1556 Modify Authentication Process CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1556.004 Network Device Authentication CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1111 Two-Factor Authentication Interception CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1550 Use Alternate Authentication Material CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - T1556 Modify Authentication Process CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - T1111 Two-Factor Authentication Interception CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1556.001 Domain Controller Authentication CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1187 Forced Authentication CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1556 Modify Authentication Process CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1111 Two-Factor Authentication Interception CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.002 Authentication Package CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1550 Use Alternate Authentication Material CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | Hardware Additions CONTRIBUTE A TEST | Network Device CLI CONTRIBUTE A TEST | Browser Extensions | Domain Accounts CONTRIBUTE A TEST | Create Snapshot CONTRIBUTE A TEST | Exploitation for Credential Access CONTRIBUTE A TEST | Email Account CONTRIBUTE A TEST | Use Alternate Authentication Material CONTRIBUTE A TEST | Data Staged CONTRIBUTE A TEST | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Dead Drop Resolver CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Create Account CONTRIBUTE A TEST | Kernel Modules and Extensions | Disable Cloud Logs CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | Network Service Scanning | | Data from Local System CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Encrypted Channel CONTRIBUTE A TEST | Firmware Corruption CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | Spearphishing via Service CONTRIBUTE A TEST | Source CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | LD_PRELOAD | Disable Crypto Hardware CONTRIBUTE A TEST | Network Device Authentication CONTRIBUTE A TEST | Network Share Discovery | | Data from Network Shared Drive CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Exchange Email Delegate Permissions CONTRIBUTE A TEST | Setuid and Setgid | Environmental Keying CONTRIBUTE A TEST | Pluggable Authentication Modules CONTRIBUTE A TEST | Security Software Discovery | | Local Data Staging | | Junk Data CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Local Account | Valid Accounts CONTRIBUTE A TEST | Hidden Files and Directories | Two-Factor Authentication Interception CONTRIBUTE A TEST | System Owner/User Discovery | | Screen Capture | | Non-Standard Encoding CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Server Software Component CONTRIBUTE A TEST | | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Transport Agent CONTRIBUTE A TEST | | Network Device Authentication CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | Web Shell CONTRIBUTE A TEST | | Pluggable Authentication Modules CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | | | | | Use Alternate Authentication Material CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | Supply Chain Compromise CONTRIBUTE A TEST | Scripting CONTRIBUTE A TEST | Emond | Hijack Execution Flow CONTRIBUTE A TEST | Environmental Keying CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | Permission Groups Discovery CONTRIBUTE A TEST | | GUI Input Capture | Exfiltration to Code Repository CONTRIBUTE A TEST | Encrypted Channel CONTRIBUTE A TEST | Firmware Corruption CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | | Visual Basic CONTRIBUTE A TEST | Launch Daemon | Local Accounts CONTRIBUTE A TEST | Hidden File System CONTRIBUTE A TEST | Pluggable Authentication Modules CONTRIBUTE A TEST | System Information Discovery | | Screen Capture | | Internal Proxy | Resource Hijacking | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | | | Logon Script (Mac) | Rc.common | Hide Artifacts CONTRIBUTE A TEST | Two-Factor Authentication Interception CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | | | | Multi-hop Proxy CONTRIBUTE A TEST | Stored Data Manipulation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | | | | | Modify Authentication Process CONTRIBUTE A TEST | | | | | | Traffic Signaling CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | | | | | Pluggable Authentication Modules CONTRIBUTE A TEST | | | | | | Web Service CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Local Accounts | Inter-Process Communication CONTRIBUTE A TEST | At (Windows) | Authentication Package CONTRIBUTE A TEST | Clear Command History | Credentials from Password Stores | Domain Trust Discovery | Remote Service Session Hijacking CONTRIBUTE A TEST | Data Staged CONTRIBUTE A TEST | Exfiltration Over Web Service CONTRIBUTE A TEST | Domain Fronting CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Phishing CONTRIBUTE A TEST | JavaScript/JScript CONTRIBUTE A TEST | Authentication Package CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Clear Linux or Mac System Logs | Credentials from Web Browsers | Email Account CONTRIBUTE A TEST | Remote Services CONTRIBUTE A TEST | Data from Cloud Storage Object CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Spearphishing Link CONTRIBUTE A TEST | Malicious File | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | COR_PROFILER | Code Signing CONTRIBUTE A TEST | Domain Controller Authentication CONTRIBUTE A TEST | Local Groups | SSH CONTRIBUTE A TEST | Data from Local System CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Inhibit System Recovery | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Supply Chain Compromise CONTRIBUTE A TEST | Native API | Browser Extensions | Cloud Accounts CONTRIBUTE A TEST | Compiled HTML File | Forced Authentication CONTRIBUTE A TEST | Network Share Discovery | Shared Webroot CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Transfer Data to Cloud Account CONTRIBUTE A TEST | Fast Flux DNS CONTRIBUTE A TEST | Network Denial of Service CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | Python CONTRIBUTE A TEST | Cloud Account CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | Create Cloud Instance CONTRIBUTE A TEST | Group Policy Preferences | Peripheral Device Discovery CONTRIBUTE A TEST | Use Alternate Authentication Material CONTRIBUTE A TEST | GUI Input Capture | | Internal Proxy | Resource Hijacking | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | Systemd Timers CONTRIBUTE A TEST | DLL Side-Loading | Emond | Disable Cloud Logs CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | System Network Configuration Discovery | | Remote Data Staging CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | User Execution CONTRIBUTE A TEST | Domain Account | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Disable Windows Event Logging | Network Device Authentication CONTRIBUTE A TEST | System Owner/User Discovery | | SNMP (MIB Dump) CONTRIBUTE A TEST | | Protocol Impersonation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Exchange Email Delegate Permissions CONTRIBUTE A TEST | Image File Execution Options Injection | Domain Controller Authentication CONTRIBUTE A TEST | Password Guessing | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | | | Steganography CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | External Remote Services | LC_LOAD_DYLIB Addition CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Pluggable Authentication Modules CONTRIBUTE A TEST | | | | | Traffic Signaling CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Launch Agent | Make and Impersonate Token CONTRIBUTE A TEST | File and Directory Permissions Modification CONTRIBUTE A TEST | Two-Factor Authentication Interception CONTRIBUTE A TEST | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Re-opened Applications | Services Registry Permissions Weakness | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Server Software Component CONTRIBUTE A TEST | Time Providers CONTRIBUTE A TEST | Network Device Authentication CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Trap | | Pluggable Authentication Modules CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Use Alternate Authentication Material CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | External Remote Services | Inter-Process Communication CONTRIBUTE A TEST | Authentication Package CONTRIBUTE A TEST | At (Windows) | CMSTP | Credentials from Password Stores | File and Directory Discovery | RDP Hijacking | Clipboard Data | Exfiltration Over Physical Medium CONTRIBUTE A TEST | Data Encoding CONTRIBUTE A TEST | Direct Network Flood CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Hardware Additions CONTRIBUTE A TEST | JavaScript/JScript CONTRIBUTE A TEST | BITS Jobs | Authentication Package CONTRIBUTE A TEST | COR_PROFILER | Credentials from Web Browsers | Local Account | Remote Desktop Protocol | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Data Obfuscation CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Replication Through Removable Media CONTRIBUTE A TEST | Native API | Bootkit CONTRIBUTE A TEST | Bypass User Account Control | Code Signing CONTRIBUTE A TEST | Domain Controller Authentication CONTRIBUTE A TEST | Network Share Discovery | Replication Through Removable Media CONTRIBUTE A TEST | Data from Local System CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | COR_PROFILER | Change Default File Association | Compiled HTML File | Forced Authentication CONTRIBUTE A TEST | Password Policy Discovery | Shared Webroot CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Encrypted Channel | Firmware Corruption CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Trusted Relationship CONTRIBUTE A TEST | Scripting CONTRIBUTE A TEST | Component Object Model Hijacking CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | Create Process with Token CONTRIBUTE A TEST | Group Policy Preferences | Process Discovery | Use Alternate Authentication Material CONTRIBUTE A TEST | GUI Input Capture | | Fast Flux DNS CONTRIBUTE A TEST | Network Denial of Service CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | Windows Management Instrumentation | Domain Accounts CONTRIBUTE A TEST | Exploitation for Privilege Escalation CONTRIBUTE A TEST | Disable or Modify Tools | Modify Authentication Process CONTRIBUTE A TEST | System Network Connections Discovery | | Remote Data Staging CONTRIBUTE A TEST | | Multiband Communication CONTRIBUTE A TEST | System Shutdown/Reboot | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Exchange Email Delegate Permissions CONTRIBUTE A TEST | Group Policy Modification CONTRIBUTE A TEST | Domain Controller Authentication CONTRIBUTE A TEST | Network Sniffing | System Service Discovery | | Screen Capture | | Non-Standard Encoding CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Network Logon Script CONTRIBUTE A TEST | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Hidden Files and Directories | Two-Factor Authentication Interception CONTRIBUTE A TEST | | | | | Traffic Signaling CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Scheduled Task | Thread Execution Hijacking CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Use Alternate Authentication Material CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md <blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection) MIT License. © 2018 Red Canary
atomic-red-team T1040.md <blockquote>Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md <blockquote>Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: MIT License. © 2018 Red Canary
atomic-red-team T1070.002.md * /var/log/secure or /var/log/auth.log: Authentication logs MIT License. © 2018 Red Canary
atomic-red-team T1071.004.md The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) </blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1098.004.md <blockquote>Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user’s home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies. (Citation: Cylance Cleaver) MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md | auth | authentication method to choose between “NTLM” and “Kerberos” | string | NTLM| MIT License. © 2018 Red Canary
atomic-red-team T1110.003.md In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) MIT License. © 2018 Red Canary
atomic-red-team T1110.003.md | auth | authentication method to choose between “NTLM” and “Kerberos” | string | NTLM| MIT License. © 2018 Red Canary
atomic-red-team T1133.md <blockquote>Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally. MIT License. © 2018 Red Canary
atomic-red-team T1482.md <blockquote>Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1546.014.md The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the Launch Daemon configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) MIT License. © 2018 Red Canary
atomic-red-team T1546.014.md Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1550.002.md <blockquote>Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. MIT License. © 2018 Red Canary
atomic-red-team T1550.003.md <blockquote>Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system. MIT License. © 2018 Red Canary
atomic-red-team T1550.003.md Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks) MIT License. © 2018 Red Canary
atomic-red-team T1552.004.md <blockquote>Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. MIT License. © 2018 Red Canary
atomic-red-team T1556.002.md <blockquote>Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. MIT License. © 2018 Red Canary
atomic-red-team T1558.001.md <blockquote>Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar description = “Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server” CC BY-NC 4.0
signature-base apt_irontiger_trendmicro.yar $bla1 = “Authentication Package:” nocase wide ascii CC BY-NC 4.0
signature-base apt_irontiger_trendmicro.yar $bla2 = “Authentication Domain:” nocase wide ascii CC BY-NC 4.0
signature-base apt_triton_mal_sshdoor.yar $ac_log1 = “Could not open a connection to your authentication agent.\n” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “========RealVNC <= 4.1.1 Bypass Authentication Scanner=======” fullword ascii CC BY-NC 4.0
signature-base gen_mimikatz.yar $s3 = “Authentication Id :” ascii fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “//Authentication” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “ //Authentication” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “//Authentication” fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.