- Tactics
- defense-impairment , Persistence , Credential Access
- Platforms
- Network Devices
- Reference
- attack.mitre.org/techniques/T1556.004
Description
Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.
Modify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the defense-impairment, Persistence, Credential Access tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1003 — OS Credential Dumping
- T1037 — Boot or Logon Initialization Scripts
- T1040 — Network Sniffing
- T1053 — Scheduled Task/Job
- T1056 — Input Capture
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1110 — Brute Force
- T1111 — Multi-Factor Authentication Interception
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1136 — Create Account