Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)
Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens.
References
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provide protection from adversaries that may possibly attack via alternate authentication methods. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of revocation of keys and key management. Employing key protection strategies for key material used for identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to use alternate authentication material.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides for implementing tools and measures for such as allowing/denying types of third-party applications which can help prevent adversary use of alternate authentication material.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1550 | Use Alternate Authentication Material | |
| CM-05 | Access Restrictions for Change | mitigates | T1550 | Use Alternate Authentication Material | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-02 | Account Management | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-03 | Access Enforcement | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-05 | Separation of Duties | mitigates | T1550 | Use Alternate Authentication Material | |
| AC-06 | Least Privilege | mitigates | T1550 | Use Alternate Authentication Material |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1550 | Use Alternate Authentication Material | |
| action.malware.variety.Pass-the-hash | Pass-the-hash | related-to | T1550 | Use Alternate Authentication Material | |
| action.malware.vector.Network propagation | Network propagation | related-to | T1550 | Use Alternate Authentication Material |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1550 | Use Alternate Authentication Material |
Comments
This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_identity_and_access_management | AWS Identity and Access Management | technique_scores | T1550 | Use Alternate Authentication Material |
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1550.003 | Pass the Ticket | 17 |
| T1550.004 | Web Session Cookie | 9 |
| T1550.002 | Pass the Hash | 18 |
| T1550.001 | Application Access Token | 29 |