T1550 Use Alternate Authentication Material Mappings

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1550 Use Alternate Authentication Material
AC-3 Access Enforcement Protects T1550 Use Alternate Authentication Material
AC-5 Separation of Duties Protects T1550 Use Alternate Authentication Material
AC-6 Least Privilege Protects T1550 Use Alternate Authentication Material
CA-8 Penetration Testing Protects T1550 Use Alternate Authentication Material
CM-2 Baseline Configuration Protects T1550 Use Alternate Authentication Material
CM-5 Access Restrictions for Change Protects T1550 Use Alternate Authentication Material
CM-6 Configuration Settings Protects T1550 Use Alternate Authentication Material
IA-2 Identification and Authentication (organizational Users) Protects T1550 Use Alternate Authentication Material
IA-4 Identifier Management Protects T1550 Use Alternate Authentication Material
RA-5 Vulnerability Monitoring and Scanning Protects T1550 Use Alternate Authentication Material
SA-11 Developer Testing and Evaluation Protects T1550 Use Alternate Authentication Material
SA-15 Development Process, Standards, and Tools Protects T1550 Use Alternate Authentication Material
SI-4 System Monitoring Protects T1550 Use Alternate Authentication Material
azure_sentinel Azure Sentinel technique_scores T1550 Use Alternate Authentication Material
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1550 Use Alternate Authentication Material
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1550 Use Alternate Authentication Material

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1550.001 Application Access Token 14
T1550.002 Pass the Hash 11
T1550.003 Pass the Ticket 13
T1550.004 Web Session Cookie 3