T1550: Use Alternate Authentication Material

Active Directory

Active Directory Attacks

Red Team Infrastructure

RED TEAM INFRASTRUCTURE

Domain Name and Categorization

Reconnaissance

Weaponization

Delivery

Situational Awareness

T1550: Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.
Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication material allows the system to verify an identity has successfully

System Checks

Pass the Ticket

Last modified 1yr ago

Copy link