Home/ MITRE Matrix/ Lateral Movement/ T1550

T1550Use Alternate Authentication Material

T1550 — Use Alternate Authentication Material is a MITRE ATT&CK technique in the Lateral Movement tactic. Clankerusecase tracks 11 detection use cases covering it and 2 threat-intel articles citing it.

Lateral Movement

View on the matrix → Filter Detection Library MITRE official spec ↗

11Use cases

2Articles

4Sub-techniques

1Tactic

Sub-techniques (4)

T1550.001 · Application Access Token T1550.002 · Pass the Hash T1550.003 · Pass the Ticket T1550.004 · Web Session Cookie

Use cases covering this technique (11)

1Password impossible-travel sign-in Internal delivery · alerting DD AWS Console login without MFA + impossible travel Internal delivery · alerting DDCW Impossible travel from application business-logic event Internal delivery · alerting DD AWS Bedrock Invoke Model Access Denied ESCU actions · alerting P Kerberos TGT Request Using RC4 Encryption ESCU actions · alerting P Unknown Process Using The Kerberos Protocol ESCU actions · alerting P Windows AD Suspicious Attribute Modification ESCU actions · alerting P Windows Steal Authentication Certificates - ESC1 Authentication ESCU actions · alerting P aws detect sts get session token abuse ESCU actions · hunting P [LLM] Curious Serpens / APT29 ROADtools-pattern: device registration immediately following non-interactive token acquisition Bespoke install · alerting DSPDD [LLM] PKINIT Kerberos TGT request via certificate authentication anomaly Bespoke actions · hunting DSPDDCS

Articles citing this technique (2)

crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316