Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)
Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1550 | Use Alternate Authentication Material | |
| CM-05 | Access Restrictions for Change | mitigates | T1550 | Use Alternate Authentication Material | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-02 | Account Management | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-03 | Access Enforcement | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-05 | Separation of Duties | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-06 | Least Privilege | mitigates | T1550 | Use Alternate Authentication Material |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1550 | Use Alternate Authentication Material | |
| action.malware.variety.Pass-the-hash | Pass-the-hash | related-to | T1550 | Use Alternate Authentication Material | |
| action.malware.vector.Network propagation | Network propagation | related-to | T1550 | Use Alternate Authentication Material |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1550 | Use Alternate Authentication Material |
Comments
This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_identity_and_access_management | AWS Identity and Access Management | technique_scores | T1550 | Use Alternate Authentication Material |
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1550.003 | Pass the Ticket | 12 |
| T1550.004 | Web Session Cookie | 6 |
| T1550.002 | Pass the Hash | 12 |
| T1550.001 | Application Access Token | 20 |