EXPLORE
← Back to Explore
T1550

Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or a...

ContainersIaaSIdentity ProviderLinuxOffice SuiteSaaSWindows
66
Detections
5
Sources
0
Threat Actors

BY SOURCE

54elastic5splunk_escu4sigma2crowdstrike_cql1kql

PROCEDURES (42)

Persist4 detections

Auto-extracted: 4 detections for persist

Aws4 detections

Auto-extracted: 4 detections for aws

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Azure3 detections

Auto-extracted: 3 detections for azure

Bypass3 detections

Auto-extracted: 3 detections for bypass

Powershell3 detections

Auto-extracted: 3 detections for powershell

Unusual2 detections

Auto-extracted: 2 detections for unusual

Service2 detections

Auto-extracted: 2 detections for service

Credential2 detections

Auto-extracted: 2 detections for credential

Container2 detections

Auto-extracted: 2 detections for container

Unusual2 detections

Auto-extracted: 2 detections for unusual

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Persist1 detections

Auto-extracted: 1 detections for persist

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Cloud1 detections

Auto-extracted: 1 detections for cloud

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Container1 detections

Auto-extracted: 1 detections for container

Token1 detections

Auto-extracted: 1 detections for token

Oauth1 detections

Auto-extracted: 1 detections for oauth

Oauth1 detections

Auto-extracted: 1 detections for oauth

Email1 detections

Auto-extracted: 1 detections for email

Token1 detections

Auto-extracted: 1 detections for token

Persist1 detections

Auto-extracted: 1 detections for persist

Email1 detections

Auto-extracted: 1 detections for email

Api1 detections

Auto-extracted: 1 detections for api

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Dump1 detections

Auto-extracted: 1 detections for dump

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Service1 detections

Auto-extracted: 1 detections for service

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Dump1 detections

Auto-extracted: 1 detections for dump

Powershell1 detections

Auto-extracted: 1 detections for powershell

Container1 detections

Auto-extracted: 1 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

DETECTIONS (66)

Application Consent Grant (Microsoft Entra ID)
crowdstrike_cql
AWS Bedrock Invoke Model Access Denied
splunk_escu
AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
elastichigh
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS First Occurrence of STS GetFederationToken Request by User
elastichigh
AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
elastichigh
AWS STS AssumeRole Misuse
sigmalow
AWS STS AssumeRole with New MFA Device
elasticlow
AWS STS GetFederationToken with AdministratorAccess in Request
elastichigh
AWS STS GetSessionToken Misuse
sigmalow
AWS STS Role Assumption by Service
elasticlow
AWS STS Role Assumption by User
elasticlow
AWS STS Role Chaining
elasticmedium
AWS Suspicious SAML Activity
sigmamedium
Azure AD Graph Access with Unusual Client and User
elasticmedium
Device Code Sign-In
crowdstrike_cql
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
Entra ID Actor Token User Impersonation Abuse
elasticmedium
Entra ID ADRS Token Request by Microsoft Authentication Broker
elasticmedium
Entra ID AiTM Phishing-Kit Chain Detected
elastichigh
Entra ID Concurrent Sign-in with Suspicious Properties
elastichigh
Entra ID Kali365 Default User-Agent Detected
elastichigh
Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
elastichigh
Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource
elastichigh
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
elasticmedium
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
elasticmedium
Entra ID OAuth Device Code Grant by Unusual User
elasticmedium
Entra ID OAuth Device Code Phishing via AiTM
elastichigh
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
elastichigh
Entra ID OAuth Phishing via First-Party Microsoft Application
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID OAuth User Impersonation to Microsoft Graph
elasticmedium
Entra ID OAuth user_impersonation Scope for Unusual User and Client
elasticmedium
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elastichigh
Entra ID Temporary Access Pass Created for User
elastichigh
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Entra ID User Sign-in with Unusual Client
elasticmedium
First Time Seen Google Workspace OAuth Login from Third-Party Application
elasticmedium
Kerberos attacks
kql
Kerberos TGT Request Using RC4 Encryption
splunk_escu
Kerberos Traffic from Unusual Process
elasticmedium
Kubeconfig File Creation or Modification
elasticmedium
Kubernetes API Server Proxying Request to Kubelet
elasticmedium
Local Account TokenFilter Policy Disabled
elasticmedium
M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device)
elasticmedium
M365 Identity Device Code Grant with Unusual User and ASN
elastichigh
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
elastichigh
Microsoft Graph Email Access by Unusual User and Client
elasticmedium
Microsoft Graph Request User Impersonation by Unusual Client
elasticlow
Multiple Device Token Hashes for Single Okta Session
elasticmedium
Multiple Okta Sessions Detected for a Single User
elasticmedium
Okta AiTM Session Cookie Replay
elastichigh
Outgoing Logon with New Credentials
sigmalow
Potential Impersonation Attempt via Kubectl
elasticmedium
Potential Invoke-Mimikatz PowerShell Script
elasticcritical
Potential Kerberos Attack via Bifrost
elastichigh
Potential Kerberos Relay Attack against a Computer Account
elastichigh
Potential Pass-the-Hash (PtH) Attempt
elasticmedium
Potential PowerShell Pass-the-Hash/Relay Script
elastichigh
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Suspicious Kerberos Authentication Ticket Request
elastichigh
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
elasticmedium
Unknown Process Using The Kerberos Protocol
splunk_escu
Unusual Process Connection to Docker or Containerd Socket
elasticmedium
Windows AD Suspicious Attribute Modification
splunk_escu
Windows Steal Authentication Certificates - ESC1 Authentication
splunk_escu