DET0104: Detect Modification of Authentication Processes Across Platforms
DET0104 is a detection strategy for finding changes to authentication processes associated with ATT&CK T1556, Modify Authentication Process. The business s...
Analyst context for executives and security teams
DET0104 is a detection strategy for finding changes to authentication processes associated with ATT&CK T1556, Modify Authentication Process. The business significance is high because authentication mechanisms sit in the path of user access, privileged access, and credential validation. Unauthorized changes can support persistence, credential access, or defense impairment, so leaders should treat this as an identity and endpoint control-validation problem, not only a malware alerting problem.
Executive priority
Prioritize evidence that your organization can notice, explain, and reverse changes to authentication mechanisms across the environments relevant to the related technique: IaaS, identity providers, Linux, and macOS. This supports incident decision-making, privileged-access governance, audit evidence, and continuity planning because a compromised authentication path can undermine normal account controls and response confidence.
Technical view
SOC, detection engineering, and IR teams should validate monitoring around privileged modifications to authentication configuration, authentication plugins/modules, identity-provider settings, and cloud/IaaS authentication-related controls. Because the supplied DET0104 object has no official detection text or platform list, implementation should be scoped from the related T1556 context and local architecture. Treat authorized administration, patching, identity platform changes, and endpoint management activity as expected false-positive sources that require change-ticket and administrator correlation.
Likely telemetry
- Identity provider administrative audit logs and configuration-change history
- IaaS/cloud control-plane logs for authentication, federation, role, or access-policy changes
- Endpoint security logs and file/configuration integrity telemetry for authentication-related components on Linux and macOS
- Privileged account activity, administrator session, and command/change execution records
- Change-management records to distinguish approved authentication changes from unexplained modifications
Detection direction
- Baseline approved authentication mechanisms, modules, plugins, policies, and identity-provider configurations before relying on alert logic.
- Alert on privileged or unusual changes to authentication paths and correlate with administrator identity, source system, time window, and approved change records.
- Tune for legitimate platform administration, OS updates, identity-provider maintenance, and security tool deployments to reduce noisy detections.
- Validate telemetry retention and completeness in identity provider, IaaS, Linux, and macOS environments named in the related ATT&CK context.
- Use the relationship to T1556 to enrich triage: unexplained authentication changes should raise priority when seen with persistence, credential-access, or defense-impairment indicators.
Mitigation priorities
- Restrict who can modify authentication mechanisms and identity-provider settings using least privilege and strong administrative authentication.
- Require documented change control and peer review for authentication-process modifications.
- Enable configuration integrity monitoring and administrative audit logging for in-scope identity, cloud, and host authentication components.
- Prepare IR procedures to verify authentication integrity, identify unauthorized changes, and restore known-good configurations.
- Periodically test whether SOC workflows can detect and escalate unauthorized authentication-process changes using safe, approved validation methods.
Analyst notes and limits
This take is based on the DET0104 detection-strategy object and its relationship to T1556, Modify Authentication Process. The related technique provides the practical context: defense impairment, persistence, and credential access across IaaS, Identity Provider, Linux, and macOS. Local architecture determines which authentication paths and logs are material.
The DET0104 object does not provide an official description, official detection text, tactics, or platforms. Recommendations are therefore conservative and relationship-driven; they should be validated against the organization’s actual identity, cloud, and endpoint estate before being used as coverage claims.
Detect Modification of Authentication Processes Across Platforms
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1556 | Modify Authentication Process | This object detects Modify Authentication Process. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5a1bf9a62b0d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0104Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.