Show in Graph
Common Information
Type Value
Value 
Two-Factor Authentication Interception - T1111
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Use of two- or multifactor authentication is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. Adversaries may target authentication mechanisms, such as smart cards, to gain access to systems, services, and network resources. If a smart card is used for two-factor authentication (2FA), then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Other methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental) Other hardware tokens, such as RSA SecurID, require the adversary to have access to the physical device or the seed and algorithm in addition to the corresponding credentials. Detection: Detecting use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior. Platforms: Linux, macOS, Windows Permissions Required: Administrator, SYSTEM System Requirements: Smart card Proxy: Use of smart cards for single or multifactor authentication to access to network resources. Attached smart card reader with card inserted. Out-of-band one-time code: Access to the device, service, or communications to intercept the one-time code. Hardware token: Access to the seed and algorithm of generating one-time codes. Contributors: John Lambert, Microsoft Threat Intelligence Center
Details Published Attributes CTI Title
Details Website 2024-10-09 22 APT 40 Advisory PRC MSS Tradecraft In Action Summary
Details Website 2023-09-15 816 UNC3944: SMS Phishing, SIM Swapping, and Ransomware Attacks
Details Website 2023-07-25 6 APT Profile: Kimsuky - SOCRadar® Cyber Intelligence Inc.
Details Website 2023-03-02 199 Russia/Ukraine Update - February 2023
Details Website 2022-12-20 133 Russia/Ukraine Update - December 2022
Details Website 2022-11-29 132 Russia/Ukraine Update - November 2022
Details Website 2022-07-22 150 Old cat, new tricks, bad habits
Details Website 2022-06-10 76 Threat Attribution — Chimera “Under the Radar”
Details Website 2022-05-02 39 UNC3524: Eye Spy on Your Email | Mandiant
Details Website 2022-05-02 39 UNC3524: Eye Spy on Your Email | Mandiant
Details Website 2022-04-27 57 UNC2452 Merged into APT29 | Russia-Based Espionage Group
Details Website 2022-01-01 30 Threat Report
Details Website 2022-01-01 29 Threat Report
Details Website 2021-06-28 22 Nefilim Ransomware Attack Through a MITRE Att&ck Lens
Details Website 2021-04-21 36 Monitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03)
Details Website 2021-04-20 102 Authentication Bypass Techniques and Pulse Secure Zero-Day
Details Website 2021-01-12 216 Abusing cloud services to fly under the radar
Details Website 2021-01-12 215 Abusing cloud services to fly under the radar
Details Website 2019-04-30 281 Buhtrap backdoor and Buran ransomware distributed via major advertising platform | WeLiveSecurity