T1550 Microsoft Sentinel · KQL

Detect Use Alternate Authentication Material in Microsoft Sentinel

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors. Sub-techniques include Application Access Token abuse (T1550.001), Pass the Hash (T1550.002), Pass the Ticket (T1550.003), and Web Session Cookie reuse (T1550.004).

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Canonical reference
https://attack.mitre.org/techniques/T1550/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1550 — Use Alternate Authentication Material
// Detects Pass-the-Hash (LogonType 9 and NTLM network logons), Pass-the-Ticket (RC4 Kerberos downgrade),
// and NTLM hash override attempts using Windows Security Event logs
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4624, 4769, 4776)
// Pass-the-Hash: LogonType 9 (NewCredentials) — definitive mimikatz sekurlsa::pth artifact
| extend PTH_Type9 = iff(
    EventID == 4624 and LogonType == 9,
    1, 0)
// Pass-the-Hash: NTLM network logon from a remote host (not a machine account)
| extend PTH_NTLM = iff(
    EventID == 4624
    and LogonType == 3
    and AuthenticationPackageName =~ "NTLM"
    and TargetUserName !endswith "$"
    and IpAddress !in ("-", "::1", "127.0.0.1", ""),
    1, 0)
// Pass-the-Ticket: RC4-HMAC encryption (0x17) on Kerberos service ticket — golden/silver ticket indicator
| extend PTT_RC4 = iff(
    EventID == 4769
    and TicketEncryptionType =~ "0x17"
    and Status =~ "0x0",
    1, 0)
// Overpass-the-Hash / NTLM relay: NTLM credential validation failures on domain controllers
| extend NTLM_HashFail = iff(
    EventID == 4776
    and Status !in ("0x0", "", "-"),
    1, 0)
| where PTH_Type9 == 1 or PTH_NTLM == 1 or PTT_RC4 == 1 or NTLM_HashFail == 1
| extend AttackPattern = case(
    PTH_Type9 == 1, "Pass-the-Hash: LogonType 9 NewCredentials (mimikatz sekurlsa::pth)",
    PTH_NTLM == 1, "Pass-the-Hash: NTLM Network Logon from Remote Source",
    PTT_RC4 == 1, "Pass-the-Ticket: RC4-HMAC Kerberos Downgrade (Golden/Silver Ticket)",
    NTLM_HashFail == 1, "NTLM Hash Override / Credential Validation Failure",
    "Alternate Auth Abuse"
)
// Weight LogonType 9 highest — it is the most unambiguous PTH indicator
| extend SuspicionScore = PTH_Type9 * 3 + PTH_NTLM + PTT_RC4 * 2 + NTLM_HashFail
| project TimeGenerated, Computer, EventID, TargetUserName, TargetDomainName,
          LogonType, AuthenticationPackageName, IpAddress, WorkstationName,
          SubjectUserName, SubjectDomainName, LogonGuid,
          AttackPattern, SuspicionScore,
          TicketEncryptionType, TicketOptions, Status
| sort by SuspicionScore desc, TimeGenerated desc
high severity medium confidence

Detects alternate authentication material abuse using Windows Security Event logs in Microsoft Sentinel. Covers four detection branches: (1) LogonType 9 (NewCredentials) logons — the primary artifact of mimikatz sekurlsa::pth and overpass-the-hash attacks, almost never seen in legitimate activity on non-developer endpoints; (2) NTLM network logons (LogonType 3) from remote IPs targeting non-machine accounts — common Pass-the-Hash lateral movement pattern seen from tools like Impacket wmiexec.py; (3) Kerberos service ticket requests (Event 4769) using RC4-HMAC encryption (0x17) where AES is expected — strong indicator of golden or silver ticket attacks using forged credentials; (4) NTLM credential validation failures (Event 4776) on domain controllers that may indicate hash spraying or relay attempt activity. Note: Event 4776 only appears in DC logs. Uses a weighted SuspicionScore — LogonType 9 events score 3 (highest confidence), PTT/RC4 score 2, NTLM network logons score 1.

Data Sources

Windows Security Event LogAuthentication: AuthenticationLogon Session: Logon Session CreationActive Directory: Active Directory Object Access

Required Tables

SecurityEvent

False Positives & Tuning

  • runas /netonly command legitimately generates LogonType 9 events for users running applications with alternate network credentials — expected on developer and admin workstations
  • Legacy applications, NAS appliances, and non-domain-joined devices that cannot negotiate Kerberos will generate NTLM network logons (LogonType 3) — expected in mixed or older environments
  • Windows Server 2008 R2 and earlier systems, as well as third-party Kerberos clients (Linux Samba, older Cisco devices), default to RC4-HMAC encryption and will trigger the PTT_RC4 branch without malicious intent
  • Service accounts explicitly configured for NTLM in certain application integrations (SQL Server linked servers, legacy web applications) may generate recurring NTLM network logon events from known source IPs
Download portable Sigma rule (.yml)

Other platforms for T1550

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Pass-the-Hash via Mimikatz sekurlsa::pth (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with parent process context. Security Event ID 4624 with LogonType=9, TargetUserName=testadmin, AuthenticationPackageName=NTLM on the local host — this fires immediately when the new process token is created. If the spawned cmd.exe then accesses a network resource, Security Event ID 4624 LogonType=3 with NTLM auth will appear on the target host. Sysmon Event ID 10 may appear if mimikatz accessed LSASS.

  2. Test 2Pass-the-Hash via Impacket wmiexec.py (Linux attacking Windows)

    Expected signal: On the target Windows host: Security Event ID 4624 with LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP>, TargetUserName=testadmin. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe for the WMI command execution. No LogonType 9 event — this is a pure NTLM Type 3 network logon, demonstrating the PTH_NTLM detection branch.

  3. Test 3Pass-the-Ticket — Export and Inject Kerberos Ticket via Mimikatz

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe. After ticket injection, subsequent Kerberos service ticket requests from the session may appear in Security Event ID 4769 — if the injected ticket is RC4-encrypted (common with older tickets or those from tools using RC4), TicketEncryptionType=0x17 will appear. Security Event ID 4648 may appear when using the injected ticket to access network resources. klist output shows the injected service ticket.

  4. Test 4Overpass-the-Hash — Convert NTLM Hash to Kerberos TGT via Mimikatz /ptt

    Expected signal: Security Event ID 4624 LogonType=9 on the local host when the new credential token is created. Security Event ID 4768 (Kerberos TGT request) on the domain controller showing the AS-REQ using RC4-HMAC encryption (TicketEncryptionType=0x17) if the domain does not enforce AES-only. Security Event ID 4769 when the TGT is used to request service tickets for SYSVOL/CIFS access. The combination of LogonType 9 followed by Kerberos tickets from that session ties the PTH origin to subsequent Kerberos activity.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1550 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1550.001Application Access TokenT1550.002Pass the HashT1550.003Pass the TicketT1550.004Web Session CookieT1003OS Credential DumpingT1003.001LSASS MemoryT1558Steal or Forge Kerberos TicketsT1558.001Golden TicketT1558.003KerberoastingT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1134Access Token Manipulation

Same Tactic: Defense Evasion

Popular Detections