Description
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)
Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.
Platforms
Sub-Techniques (4)
Application Access Token
T1550.002Pass the Hash
T1550.003Pass the Ticket
T1550.004Web Session Cookie
Mitigations (7)
AuditM1047
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Password PoliciesM1027
Set and enforce secure password policies for accounts.
Account Use PoliciesM1036
Where possible, consider restricting the use of authentication material outside of expected contexts.
Privileged Account ManagementM1026
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.
Active Directory ConfigurationM1015
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.
Application Developer GuidanceM1013
Consider implementing token binding strategies, such as Azure AD token protection or OAuth Proof of Possession, that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to.(Citation: Microsoft Token Protection 2023)(Citation: Okta DPoP 2023)
User Account ManagementM1018
Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661) can allow abuse of a compromised AD FS server's SAML token.(Citation: MSTIC FoggyWeb September 202... |
References
- NIST. (n.d.). Authentication. Retrieved January 30, 2020.
- NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September 25, 2024.
Frequently Asked Questions
What is T1550 (Use Alternate Authentication Material)?
T1550 is a MITRE ATT&CK technique named 'Use Alternate Authentication Material'. It belongs to the Lateral Movement tactic(s). Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal syst...
How can T1550 be detected?
Detection of T1550 (Use Alternate Authentication Material) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1550?
There are 7 documented mitigations for T1550. Key mitigations include: Audit, Password Policies, Account Use Policies, Privileged Account Management, Active Directory Configuration.
Which threat groups use T1550?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.