Esc
Use Alternate Authentication Material - T1550
(ATT&CK® Technique)
Definition
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1550["Use Alternate Authentication Material"] --> |adds| SessionCookie["Session Cookie"]; class T1550 OffensiveTechniqueNode;
class SessionCookie ArtifactNode; click SessionCookie href "/dao/artifact/d3f:SessionCookie";
click T1550 href "/offensive-technique/attack/T1550/"; click SessionCookie href "/dao/artifact/d3f:SessionCookie"; T1550["Use Alternate Authentication Material"] --> |may-produce| NetworkTraffic["Network Traffic"]; class T1550 OffensiveTechniqueNode;
class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
click T1550 href "/offensive-technique/attack/T1550/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1550["Use Alternate Authentication Material"] --> |uses| AccessToken["Access Token"]; class T1550 OffensiveTechniqueNode;
class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken";
click T1550 href "/offensive-technique/attack/T1550/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; T1550["Use Alternate Authentication Material"] --> |produces| WebNetworkTraffic["Web Network Traffic"]; class T1550 OffensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode; click WebNetworkTraffic href "/dao/artifact/d3f:WebNetworkTraffic";
click T1550 href "/offensive-technique/attack/T1550/"; click WebNetworkTraffic href "/dao/artifact/d3f:WebNetworkTraffic"; T1550["Use Alternate Authentication Material"] --> |accesses| AuthenticationService["Authentication Service"]; class T1550 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1550 href "/offensive-technique/attack/T1550/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | AccessToken["Access Token"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1550["Use Alternate Authentication Material"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | SessionCookie["Session Cookie"];
class DecoyUserCredential DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | NetworkTraffic["Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | AccessToken["Access Token"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | SessionCookie["Session Cookie"];
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | AccessToken["Access Token"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1550["Use Alternate Authentication Material"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | SessionCookie["Session Cookie"];
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
| deletes | AccessToken["Access Token"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1550["Use Alternate Authentication Material"] ;
class CredentialRevocation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialRevocation["Credential Revocation"] -->
| deletes | SessionCookie["Session Cookie"];
class CredentialRevocation DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1550["Use Alternate Authentication Material"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1550["Use Alternate Authentication Material"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1550["Use Alternate Authentication Material"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; TokenBinding["Token Binding"] -->
| strengthens | AccessToken["Access Token"];
TokenBinding["Token Binding"] -.->
| may-harden | T1550["Use Alternate Authentication Material"] ;
class TokenBinding DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; CredentialRotation["Credential Rotation"] -->
| regenerates | AccessToken["Access Token"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1550["Use Alternate Authentication Material"] ;
class CredentialRotation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; CredentialRotation["Credential Rotation"] -->
| regenerates | SessionCookie["Session Cookie"];
class CredentialRotation DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | AccessToken["Access Token"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1550["Use Alternate Authentication Material"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | SessionCookie["Session Cookie"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | AccessToken["Access Token"];
Token-basedAuthentication["Token-based Authentication"] -.->
| may-harden | T1550["Use Alternate Authentication Material"] ;
class Token-basedAuthentication DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1550["Use Alternate Authentication Material"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1550["Use Alternate Authentication Material"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1550["Use Alternate Authentication Material"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1550["Use Alternate Authentication Material"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | AccessToken["Access Token"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1550["Use Alternate Authentication Material"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | SessionCookie["Session Cookie"];
class CredentialTransmissionScoping DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | NetworkTraffic["Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1550["Use Alternate Authentication Material"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | WebNetworkTraffic["Web Network Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ReissueCredential["Reissue Credential"] -->
| restores | AccessToken["Access Token"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1550["Use Alternate Authentication Material"] ;
class ReissueCredential DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; ReissueCredential["Reissue Credential"] -->
| restores | SessionCookie["Session Cookie"];
class ReissueCredential DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1550["Use Alternate Authentication Material"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; CredentialHardening["Credential Hardening"] -->
| hardens | SessionCookie["Session Cookie"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1550["Use Alternate Authentication Material"] ;
class CredentialHardening DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; CredentialHardening["Credential Hardening"] -->
| hardens | AccessToken["Access Token"];
class CredentialHardening DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1550["Use Alternate Authentication Material"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1550["Use Alternate Authentication Material"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot";