EXPLORE
Sign In
← Back to Explore
T1550

Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or a...

ContainersIaaSIdentity ProviderLinuxOffice SuiteSaaSWindows
61
Detections
5
Sources
0
Threat Actors

BY SOURCE

49elastic5splunk_escu4sigma2crowdstrike_cql1kql

PROCEDURES (42)

Aws4 detections

Auto-extracted: 4 detections for aws

Phish3 detections

Auto-extracted: 3 detections for phish

Powershell3 detections

Auto-extracted: 3 detections for powershell

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Persist3 detections

Auto-extracted: 3 detections for persist

Bypass3 detections

Auto-extracted: 3 detections for bypass

Unusual2 detections

Auto-extracted: 2 detections for unusual

Unusual2 detections

Auto-extracted: 2 detections for unusual

Azure2 detections

Auto-extracted: 2 detections for azure

Container2 detections

Auto-extracted: 2 detections for container

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Oauth1 detections

Auto-extracted: 1 detections for oauth

Unusual1 detections

Auto-extracted: 1 detections for unusual

Oauth1 detections

Auto-extracted: 1 detections for oauth

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Phish1 detections

Auto-extracted: 1 detections for phish

Powershell1 detections

Auto-extracted: 1 detections for powershell

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Container1 detections

Auto-extracted: 1 detections for container

Dump1 detections

Auto-extracted: 1 detections for dump

Cloud1 detections

Auto-extracted: 1 detections for cloud

Privilege1 detections

Auto-extracted: 1 detections for privilege

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Container1 detections

Auto-extracted: 1 detections for container

Token1 detections

Auto-extracted: 1 detections for token

Email1 detections

Auto-extracted: 1 detections for email

Azure1 detections

Auto-extracted: 1 detections for azure

Token1 detections

Auto-extracted: 1 detections for token

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Persist1 detections

Auto-extracted: 1 detections for persist

Email1 detections

Auto-extracted: 1 detections for email

Dump1 detections

Auto-extracted: 1 detections for dump

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

DETECTIONS (61)

Application Consent Grant (Microsoft Entra ID)
crowdstrike_cql
AWS Bedrock Invoke Model Access Denied
splunk_escu
AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
elastichigh
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS First Occurrence of STS GetFederationToken Request by User
elasticmedium
AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
elastichigh
AWS STS AssumeRole Misuse
sigmalow
AWS STS AssumeRole with New MFA Device
elasticlow
AWS STS GetFederationToken with AdministratorAccess in Request
elastichigh
AWS STS GetSessionToken Misuse
sigmalow
AWS STS Role Assumption by Service
elasticlow
AWS STS Role Assumption by User
elasticlow
AWS STS Role Chaining
elasticmedium
AWS Suspicious SAML Activity
sigmamedium
Device Code Sign-In
crowdstrike_cql
Direct Interactive Kubernetes API Request Detected via Defend for Containers
elasticlow
Entra ID Actor Token User Impersonation Abuse
elasticmedium
Entra ID ADRS Token Request by Microsoft Authentication Broker
elasticmedium
Entra ID Concurrent Sign-in with Suspicious Properties
elastichigh
Entra ID Kali365 Default User-Agent Detected
elastichigh
Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
elastichigh
Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource
elasticmedium
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
elasticmedium
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
elasticmedium
Entra ID OAuth Device Code Grant by Unusual User
elasticmedium
Entra ID OAuth Device Code Phishing via AiTM
elastichigh
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
elastichigh
Entra ID OAuth Phishing via First-Party Microsoft Application
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID OAuth User Impersonation to Microsoft Graph
elasticmedium
Entra ID OAuth user_impersonation Scope for Unusual User and Client
elasticmedium
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elasticmedium
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Entra ID User Sign-in with Unusual Client
elasticmedium
First Time Seen Google Workspace OAuth Login from Third-Party Application
elasticmedium
Kerberos attacks
kql
Kerberos TGT Request Using RC4 Encryption
splunk_escu
Kerberos Traffic from Unusual Process
elasticmedium
Kubeconfig File Creation or Modification
elasticmedium
Kubernetes API Server Proxying Request to Kubelet
elasticmedium
Local Account TokenFilter Policy Disabled
elasticmedium
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
elastichigh
Microsoft Graph Request Email Access by Unusual User and Client
elasticmedium
Microsoft Graph Request User Impersonation by Unusual Client
elasticlow
Multiple Device Token Hashes for Single Okta Session
elasticmedium
Multiple Okta Sessions Detected for a Single User
elasticmedium
Okta AiTM Session Cookie Replay
elastichigh
Outgoing Logon with New Credentials
sigmalow
Potential Impersonation Attempt via Kubectl
elasticmedium
Potential Invoke-Mimikatz PowerShell Script
elasticcritical
Potential Kerberos Attack via Bifrost
elastichigh
Potential Kerberos Relay Attack against a Computer Account
elastichigh
Potential Pass-the-Hash (PtH) Attempt
elasticmedium
Potential PowerShell Pass-the-Hash/Relay Script
elastichigh
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Suspicious Kerberos Authentication Ticket Request
elastichigh
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
elasticmedium
Unknown Process Using The Kerberos Protocol
splunk_escu
Unusual Process Connection to Docker or Containerd Socket
elasticmedium
Windows AD Suspicious Attribute Modification
splunk_escu
Windows Steal Authentication Certificates - ESC1 Authentication
splunk_escu