DET0338 Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)

Item	Value
ID	DET0338
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1550 (Use Alternate Authentication Material)

Analytics

Windows

AN0954

Use of stolen Kerberos tickets or token impersonation resulting in logon sessions from accounts without expected interactive logon events.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
TimeWindow	Allows tuning of how far apart related logon and process events can be correlated
UserContext	Customize for high-value or service accounts with restricted access policies

Linux

AN0955

Access tokens or SSH keys used without corresponding login shell or PAM module activity, particularly for remote execution.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	auditd:SYSCALL	execution of ssh, scp, or sftp using previously unseen credentials or keys
Logon Session Creation (DC0067)	NSM:Connections	Accepted publickey for user from unusual IP or without tty

Mutable Elements

Field	Description
SourceIPWhitelist	Tune for approved jump boxes or bastion hosts
AuthMethod	Filter on use of password vs publickey methods for better coverage

Identity Provider

AN0956

Token replay or impersonation in federated logins without interactive browser session or MFA prompts.

Log Sources

Data Component	Name	Channel
Web Credential Usage (DC0007)	azure:signinlogs	TokenIssuanceStart, TokenIssuanceSuccess
User Account Authentication (DC0002)	m365:unified	login using refresh_token with no preceding authentication context

Mutable Elements

Field	Description
MFAContextRequired	Customize for accounts where MFA must always precede token issuance
RefreshTokenReuseThreshold	Threshold for number of times a refresh token is reused without re-auth

SaaS

AN0957

Unusual reuse of OAuth access tokens from different geographic regions, without full login events.

Log Sources

Data Component	Name	Channel
Web Credential Usage (DC0007)	saas:googleworkspace	access_token issued
User Account Authentication (DC0002)	saas:googleworkspace	API access without user login

Mutable Elements

Field	Description
GeoIPDistanceThreshold	Minimum distance between token reuse events to trigger detection

Containers

AN0958

Container process uses mounted cloud credentials or token cache to authenticate without known orchestration.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	docker:runtime	execution of cloud CLI tool (e.g., aws, az) inside container
User Account Metadata (DC0013)	AWS:CloudTrail	AssumeRole

Mutable Elements

Field	Description
ContainerLabel	Restrict to prod workloads or certain namespaces
CredentialPath	Path used to mount sensitive tokens (e.g., /.aws/credentials)

Office Suite

AN0959

Access token reuse to connect to SharePoint or Outlook APIs without interactive user context.

Log Sources

Data Component	Name	Channel
Web Credential Usage (DC0007)	m365:unified	TokenIssued, FileAccessed

Mutable Elements

Field	Description
UserAgentCheck	Tune to detect access from CLI agents or scripts rather than interactive browsers

IaaS

AN0960

Use of instance metadata tokens across instances or misuse of short-lived tokens issued for different roles.

Log Sources

Data Component	Name	Channel
Web Credential Usage (DC0007)	AWS:CloudTrail	GetCallerIdentity
User Account Metadata (DC0013)	AWS:CloudTrail	AssumeRole

Mutable Elements

Field	Description
TokenReuseWindow	Time window where token reuse is suspicious
RoleMismatchAlerting	Enable if tokens for RoleA are used in resources only RoleB should access