Technique on mitre.org

T1550: Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

active_directory_certificate_services_attacks: PT-CR-2645: Cert_Explicit_Mapping_Reference_Adding: The ESC14 technique (scenario A) was used. A user obtained a TGT in the name of another user using explicit certificate mapping. Attackers can add an explicit certificate mapping referring to their account or certificate in the Alt-Security-Identities attribute of the target and gain access to system resources on behalf of the victim. active_directory_certificate_services_attacks: PT-CR-2652: Enrollment_Agent_Cert_For_Low_Privilege_Groups: The ESC3 technique was used. Using a template, a user obtained a certificate that allows requesting a certificate on behalf of another user. This template is available to members of low-privileged groups without additional confirmation from the manager. active_directory_certificate_services_attacks: PT-CR-2657: Cert_Application_Policy_Abuse: The ESC15 technique was used. A certificate was issued based on version 1 template. This template allows you to add arbitrary application policies to the certificate request that have a higher priority than the specified PKI-Extended-Key-Usage attributes. An attacker can use this technique to extend the capabilities of the certificate. active_directory_certificate_services_attacks: PT-CR-2646: Cert_Request_After_Account_Edit: The ESC14 technique (scenario B, C, or D) was used. A user requested a certificate after modifying the account parameters that determine the subject. Attackers can set the "cn", "mail", or "dNSHostName" attribute of a victim to match the explicit mapping of the target account and gain access to system resources on behalf of the target. active_directory_certificate_services_attacks: PT-CR-2643: Cert_Subject_Name_Different_From_UPN: The ESC9 or ESC10 technique was used. A user requested a certificate after setting the userPrincipalName (UPN) attribute to a value that does not match their name. Attackers can use this certificate to act on behalf of the user specified in the UPN. active_directory_certificate_services_attacks: PT-CR-2641: Cert_Compromise_Via_NTLM_Relay: The ESC8 or ESC11 technique was used. As a result of an NTLM Relay attack on a CA, a certificate was obtained in the name of the target account. Using this certificate, attackers can act at the victim's privilege level. active_directory_certificate_services_attacks: PT-CR-2470: Cert_Request_And_Approved_With_Alt_SAN: A certificate with an alternative name is requested for an account. An attacker can use misconfigured AD CS certificate templates to impersonate an administrator and create additional authentication certificates. active_directory_certificate_services_attacks: PT-CR-830: Cert_Allowed_Alt_SAN: A certificate has been requested that allows you to set an alternative SubjectAccountName parameter. Using this certificate will allow an attacker to impersonate another user, including the domain administrator active_directory_attacks: PT-CR-833: DC_Auth_With_Pfx: A user requested a ticket-granting ticket (TGT) using a certificate or smart card. Attackers can use such ticket to obtain the NTLM hash of an account and carry out a Pass the Hash or Silver Ticket attack.

Subtechniques

Detection

ID	DS0002	Data source and component	User Account: User Account Authentication	Description	Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

ID	DS0006	Data source and component	Web Credential: Web Credential Usage	Description	Monitor for an attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

ID	DS0026	Data source and component	Active Directory: Active Directory Credential Request	Description	Monitor requests of new ticket granting ticket or service tickets to a Domain Controller, such as Windows EID 4769 or 4768, that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

ID	DS0028	Data source and component	Logon Session: Logon Session Creation	Description	Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

ID	Data source and component	Description
DS0002	User Account: User Account Authentication	Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
DS0006	Web Credential: Web Credential Usage	Monitor for an attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
DS0026	Active Directory: Active Directory Credential Request	Monitor requests of new ticket granting ticket or service tickets to a Domain Controller, such as Windows EID 4769 or 4768, that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
DS0028	Logon Session: Logon Session Creation	Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

Mitigation

ID	M1013	Name	Application Developer Guidance	Description	Consider implementing token binding strategies, such as Azure AD token protection or OAuth Proof of Possession, that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to.

ID	M1015	Name	Active Directory Configuration	Description	Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

ID	M1018	Name	User Account Management	Description	Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems.

ID	M1026	Name	Privileged Account Management	Description	Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.

ID	M1027	Name	Password Policies	Description	Set and enforce secure password policies for accounts.

ID	M1047	Name	Audit	Description	Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

ID	Name	Description
M1013	Application Developer Guidance	Consider implementing token binding strategies, such as Azure AD token protection or OAuth Proof of Possession, that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to.
M1015	Active Directory Configuration	Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.
M1018	User Account Management	Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems.
M1026	Privileged Account Management	Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.
M1027	Password Policies	Set and enforce secure password policies for accounts.
M1047	Audit	Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.