Detect Use Alternate Authentication Material in Splunk
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors. Sub-techniques include Application Access Token abuse (T1550.001), Pass the Hash (T1550.002), Pass the Ticket (T1550.003), and Web Session Cookie reuse (T1550.004).
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Canonical reference
- https://attack.mitre.org/techniques/T1550/
SPL Detection Query
index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4624 OR EventCode=4769 OR EventCode=4776)
| eval logon_type=coalesce('Logon_Type', logon_type)
| eval auth_package=lower(coalesce('Authentication_Package_Name', 'Authentication_Package', auth_package, ""))
| eval src_ip=coalesce('Source_Network_Address', 'Client_Address', IpAddress, "")
| eval target_user=coalesce('Target_User_Name', 'Account_Name', "")
| eval ticket_enc=coalesce('Ticket_Encryption_Type', ticket_enc, "")
| eval event_status=coalesce(Status, status, "")
| eval PTH_Type9=if(EventCode=4624 AND logon_type="9", 1, 0)
| eval PTH_NTLM=if(
EventCode=4624
AND logon_type="3"
AND (auth_package="ntlm" OR auth_package="ntlmssp")
AND src_ip!="" AND src_ip!="-"
AND src_ip!="127.0.0.1" AND src_ip!="::1"
AND NOT match(target_user, "\\$$"), 1, 0)
| eval PTT_RC4=if(
EventCode=4769
AND (ticket_enc="0x17" OR ticket_enc="23")
AND (event_status="0x0" OR event_status=""), 1, 0)
| eval NTLM_HashFail=if(
EventCode=4776
AND event_status!=""
AND event_status!="0x0"
AND event_status!="0", 1, 0)
| eval SuspicionScore=(PTH_Type9*3) + PTH_NTLM + (PTT_RC4*2) + NTLM_HashFail
| where SuspicionScore > 0
| eval AttackPattern=case(
PTH_Type9=1, "Pass-the-Hash: LogonType 9 NewCredentials",
PTH_NTLM=1, "Pass-the-Hash: NTLM Network Logon",
PTT_RC4=1, "Pass-the-Ticket: RC4 Kerberos Downgrade",
NTLM_HashFail=1, "NTLM Hash Override Attempt",
1=1, "Alternate Auth Abuse")
| table _time, host, target_user, EventCode, logon_type, auth_package,
src_ip, ticket_enc, event_status, AttackPattern, SuspicionScore
| sort - SuspicionScore - _timeDetects alternate authentication material abuse using Windows Security Event logs in Splunk. Relies on the Splunk Add-on for Windows for field parsing. Covers four branches: (1) LogonType 9 (NewCredentials) — weighted score 3 as it is the most definitive Pass-the-Hash indicator; (2) NTLM network logons from non-loopback remote sources targeting non-machine accounts; (3) Kerberos service ticket requests with RC4-HMAC encryption (0x17 or decimal 23) — golden/silver ticket indicator weighted score 2; (4) NTLM credential validation failures (EventCode=4776) on domain controllers. Uses coalesce() across multiple field name variants to handle differences between Splunk TA versions. Ticket encryption type 0x17 and its decimal equivalent 23 are both checked to handle raw vs parsed formats.
Data Sources
Required Sourcetypes
False Positives & Tuning
- runas /netonly generates LogonType 9 events for legitimate users running applications with alternate credentials for specific network resources — common on admin workstations
- Legacy systems, network appliances, and workgroup computers that rely on NTLM by default will produce recurring NTLM network logons (logon_type=3) from known source IPs
- NAS devices, older Samba servers, and macOS SMB clients that cannot negotiate AES Kerberos will trigger PTT_RC4 detection when requesting service tickets — build an allowlist by hostname
- NTLM validation failures (EventCode=4776) may spike during password policy enforcement campaigns, account lockout testing, or when monitoring agents authenticate against DC with stale cached credentials
Other platforms for T1550
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Pass-the-Hash via Mimikatz sekurlsa::pth (Windows)
Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with parent process context. Security Event ID 4624 with LogonType=9, TargetUserName=testadmin, AuthenticationPackageName=NTLM on the local host — this fires immediately when the new process token is created. If the spawned cmd.exe then accesses a network resource, Security Event ID 4624 LogonType=3 with NTLM auth will appear on the target host. Sysmon Event ID 10 may appear if mimikatz accessed LSASS.
- Test 2Pass-the-Hash via Impacket wmiexec.py (Linux attacking Windows)
Expected signal: On the target Windows host: Security Event ID 4624 with LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP>, TargetUserName=testadmin. Security Event ID 4688 (or Sysmon Event ID 1) showing WmiPrvSE.exe spawning cmd.exe for the WMI command execution. No LogonType 9 event — this is a pure NTLM Type 3 network logon, demonstrating the PTH_NTLM detection branch.
- Test 3Pass-the-Ticket — Export and Inject Kerberos Ticket via Mimikatz
Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe. After ticket injection, subsequent Kerberos service ticket requests from the session may appear in Security Event ID 4769 — if the injected ticket is RC4-encrypted (common with older tickets or those from tools using RC4), TicketEncryptionType=0x17 will appear. Security Event ID 4648 may appear when using the injected ticket to access network resources. klist output shows the injected service ticket.
- Test 4Overpass-the-Hash — Convert NTLM Hash to Kerberos TGT via Mimikatz /ptt
Expected signal: Security Event ID 4624 LogonType=9 on the local host when the new credential token is created. Security Event ID 4768 (Kerberos TGT request) on the domain controller showing the AS-REQ using RC4-HMAC encryption (TicketEncryptionType=0x17) if the domain does not enforce AES-only. Security Event ID 4769 when the TGT is used to request service tickets for SYSVOL/CIFS access. The combination of LogonType 9 followed by Kerberos tickets from that session ties the PTH origin to subsequent Kerberos activity.
References (13)
- https://attack.mitre.org/techniques/T1550/
- https://technet.microsoft.com/en-us/library/dn487457.aspx
- https://csrc.nist.gov/glossary/term/authentication
- https://csrc.nist.gov/glossary/term/multi_factor_authentication
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-securityevent-table
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa
- https://github.com/SecureAuthCorp/impacket
- https://www.sans.org/white-papers/36962/
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/credential-protection-and-management
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md
- https://adsecurity.org/?p=1515
- https://www.microsoft.com/en-us/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
Unlock Pro Content
Get the full detection package for T1550 including response playbook, investigation guide, and atomic red team tests.