T1550

Use Alternate Authentication Material

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors. Sub-techniques include Application Access Token abuse (T1550.001), Pass the Hash (T1550.002), Pass the Ticket (T1550.003), and Web Session Cookie reuse (T1550.004).

Microsoft Sentinel / Defender

kusto

// T1550 — Use Alternate Authentication Material
// Detects Pass-the-Hash (LogonType 9 and NTLM network logons), Pass-the-Ticket (RC4 Kerberos downgrade),
// and NTLM hash override attempts using Windows Security Event logs
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4624, 4769, 4776)
// Pass-the-Hash: LogonType 9 (NewCredentials) — definitive mimikatz sekurlsa::pth artifact
| extend PTH_Type9 = iff(
    EventID == 4624 and LogonType == 9,
    1, 0)
// Pass-the-Hash: NTLM network logon from a remote host (not a machine account)
| extend PTH_NTLM = iff(
    EventID == 4624
    and LogonType == 3
    and AuthenticationPackageName =~ "NTLM"
    and TargetUserName !endswith "$"
    and IpAddress !in ("-", "::1", "127.0.0.1", ""),
    1, 0)
// Pass-the-Ticket: RC4-HMAC encryption (0x17) on Kerberos service ticket — golden/silver ticket indicator
| extend PTT_RC4 = iff(
    EventID == 4769
    and TicketEncryptionType =~ "0x17"
    and Status =~ "0x0",
    1, 0)
// Overpass-the-Hash / NTLM relay: NTLM credential validation failures on domain controllers
| extend NTLM_HashFail = iff(
    EventID == 4776
    and Status !in ("0x0", "", "-"),
    1, 0)
| where PTH_Type9 == 1 or PTH_NTLM == 1 or PTT_RC4 == 1 or NTLM_HashFail == 1
| extend AttackPattern = case(
    PTH_Type9 == 1, "Pass-the-Hash: LogonType 9 NewCredentials (mimikatz sekurlsa::pth)",
    PTH_NTLM == 1, "Pass-the-Hash: NTLM Network Logon from Remote Source",
    PTT_RC4 == 1, "Pass-the-Ticket: RC4-HMAC Kerberos Downgrade (Golden/Silver Ticket)",
    NTLM_HashFail == 1, "NTLM Hash Override / Credential Validation Failure",
    "Alternate Auth Abuse"
)
// Weight LogonType 9 highest — it is the most unambiguous PTH indicator
| extend SuspicionScore = PTH_Type9 * 3 + PTH_NTLM + PTT_RC4 * 2 + NTLM_HashFail
| project TimeGenerated, Computer, EventID, TargetUserName, TargetDomainName,
          LogonType, AuthenticationPackageName, IpAddress, WorkstationName,
          SubjectUserName, SubjectDomainName, LogonGuid,
          AttackPattern, SuspicionScore,
          TicketEncryptionType, TicketOptions, Status
| sort by SuspicionScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Windows Security Event Log Authentication: Authentication Logon Session: Logon Session Creation Active Directory: Active Directory Object Access

Required Tables

SecurityEvent

False Positives

runas /netonly command legitimately generates LogonType 9 events for users running applications with alternate network credentials — expected on developer and admin workstations
Legacy applications, NAS appliances, and non-domain-joined devices that cannot negotiate Kerberos will generate NTLM network logons (LogonType 3) — expected in mixed or older environments
Windows Server 2008 R2 and earlier systems, as well as third-party Kerberos clients (Linux Samba, older Cisco devices), default to RC4-HMAC encryption and will trigger the PTT_RC4 branch without malicious intent
Service accounts explicitly configured for NTLM in certain application integrations (SQL Server linked servers, legacy web applications) may generate recurring NTLM network logon events from known source IPs

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security"
    (EventCode=4624 OR EventCode=4769 OR EventCode=4776)
| eval logon_type=coalesce('Logon_Type', logon_type)
| eval auth_package=lower(coalesce('Authentication_Package_Name', 'Authentication_Package', auth_package, ""))
| eval src_ip=coalesce('Source_Network_Address', 'Client_Address', IpAddress, "")
| eval target_user=coalesce('Target_User_Name', 'Account_Name', "")
| eval ticket_enc=coalesce('Ticket_Encryption_Type', ticket_enc, "")
| eval event_status=coalesce(Status, status, "")
| eval PTH_Type9=if(EventCode=4624 AND logon_type="9", 1, 0)
| eval PTH_NTLM=if(
    EventCode=4624
    AND logon_type="3"
    AND (auth_package="ntlm" OR auth_package="ntlmssp")
    AND src_ip!="" AND src_ip!="-"
    AND src_ip!="127.0.0.1" AND src_ip!="::1"
    AND NOT match(target_user, "\\$$"), 1, 0)
| eval PTT_RC4=if(
    EventCode=4769
    AND (ticket_enc="0x17" OR ticket_enc="23")
    AND (event_status="0x0" OR event_status=""), 1, 0)
| eval NTLM_HashFail=if(
    EventCode=4776
    AND event_status!=""
    AND event_status!="0x0"
    AND event_status!="0", 1, 0)
| eval SuspicionScore=(PTH_Type9*3) + PTH_NTLM + (PTT_RC4*2) + NTLM_HashFail
| where SuspicionScore > 0
| eval AttackPattern=case(
    PTH_Type9=1, "Pass-the-Hash: LogonType 9 NewCredentials",
    PTH_NTLM=1, "Pass-the-Hash: NTLM Network Logon",
    PTT_RC4=1, "Pass-the-Ticket: RC4 Kerberos Downgrade",
    NTLM_HashFail=1, "NTLM Hash Override Attempt",
    1=1, "Alternate Auth Abuse")
| table _time, host, target_user, EventCode, logon_type, auth_package,
        src_ip, ticket_enc, event_status, AttackPattern, SuspicionScore
| sort - SuspicionScore - _time

high severity medium confidence

Data Sources

Windows Security Event Log Authentication: Authentication Logon Session: Logon Session Creation

Required Sourcetypes

WinEventLog:Security

False Positives

runas /netonly generates LogonType 9 events for legitimate users running applications with alternate credentials for specific network resources — common on admin workstations
Legacy systems, network appliances, and workgroup computers that rely on NTLM by default will produce recurring NTLM network logons (logon_type=3) from known source IPs
NAS devices, older Samba servers, and macOS SMB clients that cannot negotiate AES Kerberos will trigger PTT_RC4 detection when requesting service tickets — build an allowlist by hostname
NTLM validation failures (EventCode=4776) may spike during password policy enforcement campaigns, account lockout testing, or when monitoring agents authenticate against DC with stale cached credentials

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username AS target_user,
  QIDNAME(qid) AS event_name,
  "Logon_Type" AS logon_type,
  "Authentication_Package_Name" AS auth_package,
  sourceip AS src_ip,
  "Ticket_Encryption_Type" AS ticket_enc,
  Status AS event_status,
  CASE
    WHEN eventid = '4624' AND "Logon_Type" = '9' THEN 'Pass-the-Hash: LogonType 9 NewCredentials (mimikatz sekurlsa::pth)'
    WHEN eventid = '4624' AND "Logon_Type" = '3' AND (LOWER("Authentication_Package_Name") = 'ntlm' OR LOWER("Authentication_Package_Name") = 'ntlmssp') THEN 'Pass-the-Hash: NTLM Network Logon'
    WHEN eventid = '4769' AND ("Ticket_Encryption_Type" = '0x17' OR "Ticket_Encryption_Type" = '23') THEN 'Pass-the-Ticket: RC4 Kerberos Downgrade'
    WHEN eventid = '4776' AND Status IS NOT NULL AND Status != '0x0' AND Status != '0' THEN 'NTLM Hash Override Attempt'
    ELSE 'Alternate Auth Abuse'
  END AS attack_pattern,
  CASE
    WHEN eventid = '4624' AND "Logon_Type" = '9' THEN 3
    WHEN eventid = '4769' AND ("Ticket_Encryption_Type" = '0x17' OR "Ticket_Encryption_Type" = '23') THEN 2
    ELSE 1
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12 /* Microsoft Windows Security Event Log */
  AND eventid IN ('4624', '4769', '4776')
  AND (
    (eventid = '4624' AND "Logon_Type" = '9')
    OR (
      eventid = '4624'
      AND "Logon_Type" = '3'
      AND (LOWER("Authentication_Package_Name") IN ('ntlm', 'ntlmssp'))
      AND sourceip IS NOT NULL
      AND sourceip NOT IN ('127.0.0.1', '::1', '-', '')
      AND NOT (username LIKE '%$')
    )
    OR (
      eventid = '4769'
      AND ("Ticket_Encryption_Type" = '0x17' OR "Ticket_Encryption_Type" = '23')
      AND (Status = '0x0' OR Status IS NULL)
    )
    OR (
      eventid = '4776'
      AND Status IS NOT NULL
      AND Status NOT IN ('0x0', '0', '-', '')
    )
  )
  AND LOGSOURCETIME(starttime) > NOW() - 1 DAYS
ORDER BY suspicion_score DESC, starttime DESC

high severity high confidence

Data Sources

Windows Security Event Log (LOGSOURCETYPEID 12) Microsoft Windows Active Directory Domain Controller logs

Required Tables

events

False Positives

NTLM LogonType 3 events from legitimate IT admin tools such as PsExec, WMI, or remote management consoles that use NTLM authentication over the network
Kerberos RC4 encryption (0x17) from legacy printers, embedded devices, or services configured only to support DES/RC4 Kerberos
High volume of Event 4776 failures during account lockout scenarios or Active Directory synchronisation issues between domain controllers

Sumo Logic CSE

sql

_sourceCategory=windows/security (EventCode=4624 OR EventCode=4769 OR EventCode=4776)
| parse "Logon Type:\t*\n" as logon_type nodrop
| parse "Authentication Package:\t*\n" as auth_package nodrop
| parse "Source Network Address:\t*\n" as src_ip nodrop
| parse "Ticket Encryption Type:\t*\n" as ticket_enc nodrop
| parse "Target User Name:\t*\n" as target_user nodrop
| parse "Status:\t*\n" as event_status nodrop
| parse "Workstation Name:\t*\n" as workstation nodrop
| where !isNull(logon_type) OR !isNull(ticket_enc) OR !isNull(event_status)
| eval pth_type9 = if(EventCode="4624" AND logon_type="9", 1, 0)
| eval pth_ntlm = if(
    EventCode="4624"
    AND logon_type="3"
    AND (toLowerCase(auth_package) = "ntlm" OR toLowerCase(auth_package) = "ntlmssp")
    AND !isNull(src_ip) AND src_ip != "-" AND src_ip != ""
    AND src_ip != "127.0.0.1" AND src_ip != "::1"
    AND !matches(target_user, ".*\\$$"),
    1, 0)
| eval ptt_rc4 = if(
    EventCode="4769"
    AND (ticket_enc = "0x17" OR ticket_enc = "23")
    AND (event_status = "0x0" OR isNull(event_status)),
    1, 0)
| eval ntlm_hashfail = if(
    EventCode="4776"
    AND !isNull(event_status)
    AND event_status != ""
    AND event_status != "0x0"
    AND event_status != "0",
    1, 0)
| eval suspicion_score = (pth_type9 * 3) + pth_ntlm + (ptt_rc4 * 2) + ntlm_hashfail
| where suspicion_score > 0
| eval attack_pattern = if(pth_type9=1, "Pass-the-Hash: LogonType 9 NewCredentials",
    if(pth_ntlm=1, "Pass-the-Hash: NTLM Network Logon",
    if(ptt_rc4=1, "Pass-the-Ticket: RC4 Kerberos Downgrade",
    if(ntlm_hashfail=1, "NTLM Hash Override Attempt", "Alternate Auth Abuse"))))
| fields _messageTime, _sourceHost, target_user, EventCode, logon_type, auth_package, src_ip, ticket_enc, event_status, attack_pattern, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log collected via Sumo Logic Installed Collector or Universal Forwarder Windows Event Forwarding (WEF) to centralised collector

Required Tables

_sourceCategory=windows/security

False Positives

Domain-joined workstations authenticating via NTLM (LogonType 3) to file shares or print servers not Kerberos-enrolled, particularly in mixed Windows/Linux environments
Vulnerability scanners or EDR consoles performing NTLM authentication health checks that trigger Event 4776 failures with non-zero status codes
Service accounts with expired passwords generating repeated Event 4776 failures before administrators update cached credentials

Google Chronicle / SecOps

yaral

rule T1550_use_alternate_authentication_material {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Use of Alternate Authentication Material (T1550): Pass-the-Hash via LogonType 9 or remote NTLM logon (Event 4624), Pass-the-Ticket via RC4 Kerberos downgrade (Event 4769), and NTLM hash override attempts (Event 4776)"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1550"
    mitre_attack_subtechniques = "T1550.002, T1550.003"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1550/"
    version = "1.0"

  events:
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.metadata.event_type = "USER_LOGIN"
    (
      // Pass-the-Hash: LogonType 9 NewCredentials — definitive mimikatz sekurlsa::pth indicator
      (
        $e.metadata.product_event_type = "4624"
        and $e.extensions.auth.auth_details = "9"
      )
      or
      // Pass-the-Hash: NTLM network logon from non-local source
      (
        $e.metadata.product_event_type = "4624"
        and $e.extensions.auth.auth_details = "3"
        and re.regex($e.network.application_protocol, `(?i)ntlm`)
        and $e.principal.ip != ""
        and not $e.principal.ip in ("127.0.0.1", "::1")
        and not re.regex($e.target.user.userid, `.*\$$`)
      )
      or
      // Pass-the-Ticket: RC4-HMAC Kerberos encryption downgrade
      (
        $e.metadata.product_event_type = "4769"
        and re.regex($e.extensions.auth.auth_details, `0x17|0x18|23`)
        and $e.security_result.summary = "0x0"
      )
      or
      // NTLM Hash Override: credential validation failure
      (
        $e.metadata.product_event_type = "4776"
        and $e.security_result.summary != ""
        and not re.regex($e.security_result.summary, `^(0x0|0|-)$`)
      )
    )
    $e.principal.hostname = $hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Security Event Log ingested via Chronicle Windows forwarder or Bindplane Microsoft Active Directory Domain Controller audit logs

Required Tables

UDM events with metadata.product_name = Microsoft-Windows-Security-Auditing

False Positives

NTLM LogonType 3 authentications from legitimate remote desktop gateway or jump server solutions that proxy NTLM credentials across network segments
Kerberos service ticket requests using RC4 encryption (0x17) from third-party applications or services with constrained delegation configured for legacy encryption
NTLM validation failure events (4776) generated by monitoring tools or SIEM health-check accounts probing domain controller authentication endpoints

CrowdStrike LogScale (CQL)

cql

// T1550 — Use Alternate Authentication Material
// Detects Pass-the-Hash, Pass-the-Ticket, and NTLM hash override via Falcon sensor telemetry
// Note: Falcon does not forward raw Windows event logs; correlate with UserLogon and AuthActivity events

#repo=base_sensor_telemetry
(
  // Pass-the-Hash detection via UserLogon events — LogonType 9 NewCredentials
  (
    #event_simpleName=UserLogon
    LogonType=9
    | eval AttackPattern="Pass-the-Hash: LogonType 9 NewCredentials (mimikatz sekurlsa::pth)"
    | eval SuspicionScore=3
  )
  OR
  // Pass-the-Hash via NTLM network logon (LogonType 3)
  (
    #event_simpleName=UserLogon
    LogonType=3
    AuthenticationPackage=NTLM
    NOT RemoteAddressIP4 IN ("127.0.0.1", "")
    NOT UserName = /.*\$$/
    | eval AttackPattern="Pass-the-Hash: NTLM Network Logon from Remote Source"
    | eval SuspicionScore=1
  )
  OR
  // Pass-the-Ticket via Kerberos RC4 downgrade
  (
    #event_simpleName=KerberosServiceTicket
    TicketEncryptionType=0x17
    | eval AttackPattern="Pass-the-Ticket: RC4-HMAC Kerberos Downgrade (Golden/Silver Ticket)"
    | eval SuspicionScore=2
  )
  OR
  // NTLM credential validation failure — hash override attempt
  (
    #event_simpleName=NTLMv2Login
    Status != "0x0"
    Status != ""
    | eval AttackPattern="NTLM Hash Override: Credential Validation Failure"
    | eval SuspicionScore=1
  )
)
| groupBy(
    [ComputerName, UserName, RemoteAddressIP4, LogonType, AuthenticationPackage,
     TicketEncryptionType, Status, AttackPattern, SuspicionScore],
    function=count(as=EventCount))
| sort(SuspicionScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor telemetry (UserLogon, KerberosServiceTicket, NTLMv2Login events) Falcon LogScale Windows Security Event Log connector for Event IDs 4624/4769/4776

Required Tables

#repo=base_sensor_telemetry #event_simpleName in [UserLogon, KerberosServiceTicket, NTLMv2Login]

False Positives

Falcon UserLogon LogonType 9 events generated by legitimate runas /netonly commands used by administrators to run tools with alternate domain credentials without local logon
NTLM LogonType 3 events from CrowdStrike RTR (Real Time Response) sessions or Falcon sensor health-check mechanisms authenticating over the network
KerberosServiceTicket RC4 events from older Falcon-protected hosts running Windows Server 2008 R2 or earlier where AES Kerberos is not enforced by Group Policy

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1550 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Use Alternate Authentication Material

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Defense Evasion

Popular Detections