T1550 Use Alternate Authentication Material Mappings

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1550 Use Alternate Authentication Material
AC-03 Access Enforcement Protects T1550 Use Alternate Authentication Material
AC-05 Separation of Duties Protects T1550 Use Alternate Authentication Material
AC-06 Least Privilege Protects T1550 Use Alternate Authentication Material
CM-05 Access Restrictions for Change Protects T1550 Use Alternate Authentication Material
CM-06 Configuration Settings Protects T1550 Use Alternate Authentication Material
IA-02 Identification and Authentication (organizational Users) Protects T1550 Use Alternate Authentication Material
DEF-SecScore-E3 Secure Score Technique Scores T1550 Use Alternate Authentication Material
DEF-SecScore-E3 Secure Score Technique Scores T1550 Use Alternate Authentication Material
DEF-SECA-E3 Security Alerts Technique Scores T1550 Use Alternate Authentication Material
DEF-LM-E5 Lateral Movements Technique Scores T1550 Use Alternate Authentication Material
DEF-IR-E5 Incident Response Technique Scores T1550 Use Alternate Authentication Material
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1550 Use Alternate Authentication Material
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1550 Use Alternate Authentication Material
DEF-AIR-E5 Automated Investigation and Response Technique Scores T1550 Use Alternate Authentication Material

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1550.003 Pass the Ticket 12
T1550.004 Web Session Cookie 4
T1550.002 Pass the Hash 10
T1550.001 Application Access Token 18