DET0338: Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)
DET0338 is a MITRE detection strategy for T1550, Use Alternate Authentication Material. The business issue is lateral movement: an adversary who obtains pa...
Analyst context for executives and security teams
DET0338 is a MITRE detection strategy for T1550, Use Alternate Authentication Material. The business issue is lateral movement: an adversary who obtains password hashes, Kerberos tickets, or application access tokens may be able to access systems without going through normal password-based authentication controls. For leaders, this makes identity telemetry, token governance, and cloud/identity-provider logging important evidence for resilience and incident response decisions.
Executive priority
Prioritize this as an identity and lateral-movement coverage question rather than a single-tool alert. Executives should ask whether the organization can prove how alternate authentication material is issued, used, expired, and investigated across Identity Provider, IaaS, container, and Linux environments. This matters for incident scoping, access-control assurance, and audit evidence when responders need to determine whether a valid identity was used in an abnormal way.
Technical view
The supplied ATT&CK object provides no official detection text, so defenders should validate coverage against the related technique context: T1550 lateral movement using password hashes, Kerberos tickets, or application access tokens. SOC and detection teams should map where these authentication artifacts are generated and accepted, then confirm they can correlate successful access with expected user, host, workload, token, and session context across the supported related platforms: Containers, IaaS, Identity Provider, and Linux.
Likely telemetry
- Identity Provider authentication, session, token issuance, and token use logs
- IaaS control-plane audit logs showing authenticated API or console activity
- Linux authentication and authorization logs
- Container platform access and workload identity audit logs
- Kerberos ticket-related authentication records where collected
Detection direction
- Validate whether detections look for authentication success that bypasses the expected primary authentication path or appears inconsistent with normal session context.
- Correlate identity events with source system, workload, user, service account, token/session age, and target resource to reduce false positives from legitimate automation.
- Review blind spots where token use is logged but token issuance, renewal, or revocation is not retained.
- Treat cloud, container, Linux, and identity-provider logs as shared evidence; a single log source may not show whether alternate authentication material was used maliciously.
- Use the relationship to T1550 to frame detections around lateral movement, not just isolated login anomalies.
Mitigation priorities
- Inventory where password hashes, Kerberos tickets, and application access tokens are used or accepted in the environment.
- Ensure authentication and token lifecycle logging is enabled and retained for Identity Provider, IaaS, container, and Linux environments.
- Reduce unnecessary long-lived or broadly scoped authentication material where policy allows.
- Strengthen incident-response playbooks for token/session revocation, credential reset, and lateral-movement scoping.
- Test detection logic with approved internal validation methods and document coverage gaps for risk owners and compliance evidence.
Analyst notes and limits
This take is based on the DET0338 detection-strategy object and its relationship to ATT&CK technique T1550, Use Alternate Authentication Material. The DET object itself has no official description, detection text, tactics, or platforms, so practical guidance is derived only from the related technique fields supplied.
The source object does not provide concrete analytics, data components, false-positive guidance, or mitigations. Local architecture, identity-provider configuration, cloud logging, Linux logging, and container platform design are required to determine actual coverage.
Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1550 | Use Alternate Authentication Material | This object detects Use Alternate Authentication Material. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dcaa7ce8e7e1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0338Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.