title: Use Alternate Authentication Material (T1550)
id: df00tech-t1550
status: experimental
description: "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors. Sub-techniques include Application Access Token abuse (T1550.001), Pass the Hash (T1550.002), Pass the Ticket (T1550.003), and Web Session Cookie reuse (T1550.004)."
references:
  - https://attack.mitre.org/techniques/T1550/
  - https://df00tech.com/detections/T1550
author: df00tech
date: 2026/04/13
tags:
  - attack.t1550
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - runas /netonly command legitimately generates LogonType 9 events for users running applications with alternate network credentials — expected on developer and admin workstations
  - "Legacy applications, NAS appliances, and non-domain-joined devices that cannot negotiate Kerberos will generate NTLM network logons (LogonType 3) — expected in mixed or older environments"
  - "Windows Server 2008 R2 and earlier systems, as well as third-party Kerberos clients (Linux Samba, older Cisco devices), default to RC4-HMAC encryption and will trigger the PTT_RC4 branch without malicious intent"
  - "Service accounts explicitly configured for NTLM in certain application integrations (SQL Server linked servers, legacy web applications) may generate recurring NTLM network logon events from known source IPs"
level: high