EXPLORE
Sign In
← Back to Explore
T1550

Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or a...

WindowsSaaSIaaSContainersIdentity ProviderOffice SuiteLinux
48
Detections
3
Sources
0
Threat Actors

BY SOURCE

39elastic5splunk_escu4sigma

PROCEDURES (36)

Aws3 detections

Auto-extracted: 3 detections for aws

Bypass3 detections

Auto-extracted: 3 detections for bypass

Powershell3 detections

Auto-extracted: 3 detections for powershell

Persist3 detections

Auto-extracted: 3 detections for persist

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Cloud2 detections

Auto-extracted: 2 detections for cloud

Unusual2 detections

Auto-extracted: 2 detections for unusual

Lsass2 detections

Auto-extracted: 2 detections for lsass

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Azure1 detections

Auto-extracted: 1 detections for azure

Cloud1 detections

Auto-extracted: 1 detections for cloud

Privilege1 detections

Auto-extracted: 1 detections for privilege

Pass The Hash1 detections

Auto-extracted: 1 detections for pass the hash

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Token1 detections

Auto-extracted: 1 detections for token

Email1 detections

Auto-extracted: 1 detections for email

Azure1 detections

Auto-extracted: 1 detections for azure

Token1 detections

Auto-extracted: 1 detections for token

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Pass The Hash1 detections

Auto-extracted: 1 detections for pass the hash

Powershell1 detections

Auto-extracted: 1 detections for powershell

Container1 detections

Auto-extracted: 1 detections for container

Unusual1 detections

Auto-extracted: 1 detections for unusual

Oauth1 detections

Auto-extracted: 1 detections for oauth

Privilege1 detections

Auto-extracted: 1 detections for privilege

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Bypass1 detections

Auto-extracted: 1 detections for bypass

Persist1 detections

Auto-extracted: 1 detections for persist

Container1 detections

Auto-extracted: 1 detections for container

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Email1 detections

Auto-extracted: 1 detections for email

Phish1 detections

Auto-extracted: 1 detections for phish

DETECTIONS (48)

AWS Bedrock Invoke Model Access Denied
splunk_escu
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS First Occurrence of STS GetFederationToken Request by User
elasticmedium
AWS STS AssumeRole Misuse
sigmalow
AWS STS AssumeRole with New MFA Device
elasticlow
AWS STS GetSessionToken Misuse
sigmalow
AWS STS Role Assumption by Service
elasticlow
AWS STS Role Assumption by User
elasticlow
AWS STS Role Chaining
elasticmedium
AWS Suspicious SAML Activity
sigmamedium
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
Entra ID Actor Token User Impersonation Abuse
elasticmedium
Entra ID ADRS Token Request by Microsoft Authentication Broker
elasticmedium
Entra ID Concurrent Sign-in with Suspicious Properties
elastichigh
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
elasticmedium
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
elasticmedium
Entra ID OAuth Device Code Grant by Unusual User
elasticmedium
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
elastichigh
Entra ID OAuth Phishing via First-Party Microsoft Application
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID OAuth User Impersonation to Microsoft Graph
elasticmedium
Entra ID OAuth user_impersonation Scope for Unusual User and Client
elasticmedium
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elasticmedium
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Entra ID User Sign-in with Unusual Client
elasticmedium
First Time Seen Google Workspace OAuth Login from Third-Party Application
elasticmedium
Kerberos TGT Request Using RC4 Encryption
splunk_escu
Kerberos Traffic from Unusual Process
elasticmedium
Kubeconfig File Creation or Modification
elasticmedium
Local Account TokenFilter Policy Disabled
elasticmedium
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
elastichigh
Microsoft Graph Request Email Access by Unusual User and Client
elasticmedium
Microsoft Graph Request User Impersonation by Unusual Client
elasticlow
Multiple Device Token Hashes for Single Okta Session
elasticmedium
Multiple Okta Sessions Detected for a Single User
elasticmedium
Okta AiTM Session Cookie Replay
elastichigh
Outgoing Logon with New Credentials
sigmalow
Potential Impersonation Attempt via Kubectl
elasticmedium
Potential Kerberos Attack via Bifrost
elastichigh
Potential Kerberos Relay Attack against a Computer Account
elastichigh
Potential Pass-the-Hash (PtH) Attempt
elasticmedium
Potential PowerShell Pass-the-Hash/Relay Script
elastichigh
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Suspicious Kerberos Authentication Ticket Request
elastichigh
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
elasticmedium
Unknown Process Using The Kerberos Protocol
splunk_escu
Windows AD Suspicious Attribute Modification
splunk_escu
Windows Steal Authentication Certificates - ESC1 Authentication
splunk_escu