T1550 Use Alternate Authentication Material Mappings

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1550 Use Alternate Authentication Material
CM-05 Access Restrictions for Change mitigates T1550 Use Alternate Authentication Material
IA-02 Identification and Authentication (Organizational Users) mitigates T1550 Use Alternate Authentication Material
AC-02 Account Management mitigates T1550 Use Alternate Authentication Material
AC-03 Access Enforcement mitigates T1550 Use Alternate Authentication Material
AC-05 Separation of Duties mitigates T1550 Use Alternate Authentication Material
AC-06 Least Privilege mitigates T1550 Use Alternate Authentication Material

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550 Use Alternate Authentication Material
action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550 Use Alternate Authentication Material
action.malware.vector.Network propagation Network propagation related-to T1550 Use Alternate Authentication Material

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
identity_platform Identity Platform technique_scores T1550 Use Alternate Authentication Material
Comments
This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_identity_and_access_management AWS Identity and Access Management technique_scores T1550 Use Alternate Authentication Material

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1550.003 Pass the Ticket 12
T1550.004 Web Session Cookie 6
T1550.002 Pass the Hash 12
T1550.001 Application Access Token 20