Use Alternate Authentication Material T1550
Tactic: Lateral Movement
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Events covered
23 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 126 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (226 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (721 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (268 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 18 rules
- AWS Console GetSigninToken Potential Abuse
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- HackTool - KrbRelayUp Execution
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock
- Hacktool Ruler
- Mimikatz Pass-the-hash login
- NTLM Logon
- NTLMv1 Logon Between Client and Server
- Outgoing Logon with New Credentials
- Pass the Hash Activity 2
- Refresh Token Exchange from Excessive Locations
- Refresh Token Exchange from Multiple User Agents
- Refresh Token Reuse Detection
- Successful Overpass the Hash Attempt
- Uncommon Outbound Kerberos Connection
Elastic 54 rules
- AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
- AWS EC2 Instance Console Login via Assumed Role
- AWS First Occurrence of STS GetFederationToken Request by User
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
- AWS Sign-In Token Created
- AWS STS AssumeRole with New MFA Device
- AWS STS GetFederationToken with AdministratorAccess in Request
- AWS STS GetSessionToken Usage
- AWS STS Role Assumption by Service
- AWS STS Role Assumption by User
- AWS STS Role Chaining
- Direct Interactive Kubernetes API Request Detected via Defend for Containers
- Entra ID Actor Token User Impersonation Abuse
- Entra ID ADRS Token Request by Microsoft Authentication Broker
- Entra ID Concurrent Sign-in with Suspicious Properties
- Entra ID Kali365 Default User-Agent Detected
- Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
- Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource
- Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
- Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
- Entra ID OAuth Device Code Grant by Unusual User
- Entra ID OAuth Device Code Phishing via AiTM
- Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
- Entra ID OAuth Phishing via First-Party Microsoft Application
- Entra ID OAuth PRT Issuance to Non-Managed Device Detected
- Entra ID OAuth User Impersonation to Microsoft Graph
- Entra ID OAuth user_impersonation Scope for Unusual User and Client
- Entra ID Service Principal Federated Credential Authentication by Unusual Client
- Entra ID User Sign-in with Unusual Authentication Type
- Entra ID User Sign-in with Unusual Client
- First Occurrence GitHub Event for a Personal Access Token (PAT)
- First Occurrence of IP Address For GitHub Personal Access Token (PAT)
- First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
- First Time Seen Google Workspace OAuth Login from Third-Party Application
- Kerberos Traffic from Unusual Process
- Kubeconfig File Creation or Modification
- Kubernetes API Server Proxying Request to Kubelet
- Local Account TokenFilter Policy Disabled
- M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
- Microsoft Graph Request Email Access by Unusual User and Client
- Microsoft Graph Request User Impersonation by Unusual Client
- Multiple Device Token Hashes for Single Okta Session
- Multiple Okta Sessions Detected for a Single User
- Okta AiTM Session Cookie Replay
- Potential Impersonation Attempt via Kubectl
- Potential Invoke-Mimikatz PowerShell Script
- Potential Kerberos Attack via Bifrost
- Potential Kerberos Relay Attack against a Computer Account
- Potential Pass-the-Hash (PtH) Attempt
- Potential PowerShell Pass-the-Hash/Relay Script
- Service Account Token or Certificate Access Followed by Kubernetes API Request
- Suspicious Kerberos Authentication Ticket Request
- Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
- Unusual Process Connection to Docker or Containerd Socket
Splunk 14 rules
- AWS Bedrock Invoke Model Access Denied
- Kerberos TGT Request Using RC4 Encryption
- LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
- LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
- LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
- Mimikatz PassTheTicket CommandLine Parameters
- Okta Multiple Failed Requests to Access Applications
- Pass-the-Hash (Windows Event Log)
- Rubeus Command Line Parameters
- Rubeus Kerberos Ticket Exports Through Winlogon Access
- Unknown Process Using The Kerberos Protocol
- Windows AD Suspicious Attribute Modification
- Windows Process With NetExec Command Line Parameters
- Windows Steal Authentication Certificates - ESC1 Authentication
Kusto 14 rules
- First access credential added to Application or Service Principal where no credential was present
- full_access_as_app Granted To Application
- GCP IAM - Empty user agent
- GCP IAM - New Authentication Token for Service Account
- GCP IAM - New Service Account Key
- GWorkspace - API Access Granted
- Microsoft Entra ID Hybrid Health AD FS Suspicious Application
- New access credential added to Application or Service Principal
- NRT First access credential added to Application or Service Principal where no credential was present
- NRT New access credential added to Application or Service Principal
- Powershell Empire Cmdlets Executed in Command Line
- Suspicious application consent similar to O365 Attack Toolkit
- Suspicious application consent similar to PwnAuth
- UnPAC the hash
YARA-L 5 rules
- AWS Lateral Movement Using IAM Session Token
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage
- Hunt for Expired Tokens Attempting to sign-in to Entra ID
- Okta Multiple Failed Requests To Access Applications
- OneLogin Multiple Users Assumed
Panther 21 rules
- AppOmni Alert Passthrough
- AWS Console GetSigninToken Potential Abuse
- AWS STS GetSessionToken by IAM User
- AWS User API Key Created
- AWS User Login Profile Created or Modified
- Azure Device Code Authentication with Broker Client
- Azure Microsoft Graph Single Session from Multiple IP Addresses
- Databricks Long-Lifetime Token Generated
- DEPRECATED - AWS User Login Profile Modified
- Enabled Zendesk Support to Assume Users
- GAIA GCPW Credential Theft Attack Chain
- Google Workspace Login Type Anomaly
- Google Workspace OAuth Token Requests from New IP
- Google Workspace Rapid Multi-IP Authentication
- Kubernetes Service Account Token Theft from Pod
- OneLogin Active Login Activity
- OneLogin Unauthorized Access
- OneLogin User Assumed Another User
- OpenAI Anomalous API Key Activity
- Salesforce OAuth Credential Abuse Detection
- Salesforce Third-Party Integration Monitoring