T1550 Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1550 Use Alternate Authentication Material
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.PS-06.01 Secure SDLC process Mitigates T1550 Use Alternate Authentication Material
    Comments
    This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens.
    References
      PR.AA-05.02 Privileged system access Mitigates T1550 Use Alternate Authentication Material
      Comments
      This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-06.02 Third-party access monitoring Mitigates T1550 Use Alternate Authentication Material
        Comments
        This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
        References
          PR.DS-02.01 Data-in-transit protection Mitigates T1550 Use Alternate Authentication Material
          Comments
          This diagnostic statement provide protection from adversaries that may possibly attack via alternate authentication methods. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
          References
            PR.PS-01.07 Cryptographic keys and certificates Mitigates T1550 Use Alternate Authentication Material
            Comments
            This diagnostic statement protects against Use Alternate Authentication Material through the use of revocation of keys and key management. Employing key protection strategies for key material used for identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to use alternate authentication material.
            References
              DE.CM-01.05 Website and service blocking Mitigates T1550 Use Alternate Authentication Material
              Comments
              This diagnostic statement provides for implementing tools and measures for such as allowing/denying types of third-party applications which can help prevent adversary use of alternate authentication material.
              References
                PR.AA-03.01 Authentication requirements Mitigates T1550 Use Alternate Authentication Material
                Comments
                This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
                References
                  PR.IR-01.06 Production environment segregation Mitigates T1550 Use Alternate Authentication Material
                  Comments
                  This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                  References
                    PR.AA-01.01 Identity and credential management Mitigates T1550 Use Alternate Authentication Material
                    Comments
                    This diagnostic statement protects against Use Alternate Authentication Material through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                    References
                      PR.PS-06.07 Development and operational process alignment Mitigates T1550 Use Alternate Authentication Material
                      Comments
                      This diagnostic statement protects against Use Alternate Authentication Material through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
                      References

                        NIST 800-53 Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        CM-06 Configuration Settings mitigates T1550 Use Alternate Authentication Material
                        CM-05 Access Restrictions for Change mitigates T1550 Use Alternate Authentication Material
                        IA-02 Identification and Authentication (Organizational Users) mitigates T1550 Use Alternate Authentication Material
                        AC-02 Account Management mitigates T1550 Use Alternate Authentication Material
                        AC-03 Access Enforcement mitigates T1550 Use Alternate Authentication Material
                        AC-05 Separation of Duties mitigates T1550 Use Alternate Authentication Material
                        AC-06 Least Privilege mitigates T1550 Use Alternate Authentication Material

                        VERIS Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550 Use Alternate Authentication Material
                        action.malware.variety.Pass-the-hash Pass-the-hash related-to T1550 Use Alternate Authentication Material
                        action.malware.vector.Network propagation Network propagation related-to T1550 Use Alternate Authentication Material

                        Azure Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        microsoft_sentinel Microsoft Sentinel technique_scores T1550 Use Alternate Authentication Material
                        Comments
                        This control provides minimal coverage of half of this technique's sub-techniques, without additional coverage of procedure examples, resulting in an overall score of Minimal.
                        References

                        GCP Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        identity_platform Identity Platform technique_scores T1550 Use Alternate Authentication Material
                        Comments
                        This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
                        References

                        AWS Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        aws_identity_and_access_management AWS Identity and Access Management technique_scores T1550 Use Alternate Authentication Material

                        M365 Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        DEF-ID-E5 Microsoft Defender for Identity Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        This control provides partial detection for some of this technique's sub-techniques (due to unknown false-positive/true-positive rate), resulting in a Partial score.
                        References
                        DEF-SECA-E3 Security Alerts Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
                        References
                        DEF-SSCO-E3 Secure Score Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)
                        References
                        DEF-SSCO-E3 Secure Score Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)
                        References
                        EID-IDSS-E3 Identity Secure Score Technique Scores T1550 Use Alternate Authentication Material
                        DEF-AIR-E5 Automated Investigation and Response Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses.
                        References
                        DEF-IR-E5 Incident Response Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to use alternate authentication material attacks due to Incident Response monitoring for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, and suspicious account behavior across systems that share accounts. License Requirements: Microsoft Defender XDR
                        References
                        DEF-LM-E5 Lateral Movements Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
                        References
                        DEF-SIMT-E5 ATT&CK Simulation Training Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
                        References
                        DEF-SIMT-E5 ATT&CK Simulation Training Technique Scores T1550 Use Alternate Authentication Material
                        Comments
                        M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
                        References

                        ATT&CK Subtechniques

                        Technique ID Technique Name Number of Mappings
                        T1550.003 Pass the Ticket 20
                        T1550.004 Web Session Cookie 10
                        T1550.002 Pass the Hash 23
                        T1550.001 Application Access Token 31