使用备用认证材料指攻击者利用密码哈希、Kerberos票据等非明文凭证进行身份验证,绕过常规访问控制实施横向移动。该技术通过复用合法认证流程,规避基于密码输入的检测机制,对身份管理系统构成严重威胁。防御措施需聚焦异常登录模式识别(如非常规时段访问、跨安全域令牌使用)、增强认证协议保护(限制票据转发、实施严格会话绑定)以及强化凭证存储安全(限制LSASS内存读取)。
传统认证安全机制过度依赖明文密码防护与单次认证事件检测,难以应对基于备用认证材料的隐蔽攻击。攻击者通过协议级隐匿、凭证生命周期劫持及设备指纹欺骗等手法,将非法认证行为深度嵌入合法业务流程,催生出"无密码横向移动"的新型攻击范式。
现有匿迹技术的核心在于构建认证行为的合法表象与协议合规性。攻击者通过三个维度突破防御:首先,利用协议设计缺陷(如NTLM哈希传递、Kerberos票据中继)将恶意认证请求伪装成系统预期行为;其次,通过凭证生命周期管理(如Cookie动态刷新、令牌时效延长)维持长期隐蔽访问;最后,采用环境特征模拟(设备指纹适配、用户行为克隆)欺骗增强认证机制。技术的共性在于深度解构目标系统的认证信任模型,通过协议合规性伪装与环境特征融合,使异常认证行为在单点检测层面呈现合法属性,迫使防御方必须实施跨域关联分析才能识别攻击链。
匿迹技术的演进导致传统基于密码泄露检测与单次登录审计的防御体系失效,需构建覆盖凭证全生命周期的防护体系,实施多因素认证与设备可信度联动的动态访问控制,并强化跨域认证日志的关联分析能力,方能有效应对隐蔽化的认证滥用威胁。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ❌ |
| 时空释痕 | ✅ |
攻击者通过协议合规性伪装实现认证流量特征隐匿。例如将窃取的Kerberos票据嵌入标准协议交互流程,使恶意认证请求在协议头、加密方式等表层特征与合法流量完全一致。Web会话寄生技术则通过复用HTTPS加密通道与标准Cookie格式,使异常请求在传输层不可区分,实现攻击行为的协议级融合。
通过凭证生命周期延长与低频使用策略稀释攻击特征。攻击者将窃取的认证材料拆分为多个子凭证,在不同时间段、跨网络域分散使用,避免集中式认证行为触发阈值告警。黄金票据攻击通过设置超长有效期(通常数年),使得单次攻击行为特征被稀释在漫长的时间跨度中,极大增加持续性威胁的检测难度。
| ID | Name | Description |
|---|---|---|
| S0661 | FoggyWeb |
FoggyWeb can allow abuse of a compromised AD FS server's SAML token.[1] |
| C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling APT29 to access enterprise cloud applications and services.[2][3] |
| ID | Mitigation | Description |
|---|---|---|
| M1036 | Account Use Policies |
Where possible, consider restricting the use of authentication material outside of expected contexts. |
| M1015 | Active Directory Configuration |
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. |
| M1013 | Application Developer Guidance |
Consider implementing token binding strategies, such as Azure AD token protection or OAuth Proof of Possession, that cryptographically bind a token to a secret. This may prevent the token from being used without knowledge of the secret or possession of the device the token is tied to.[4][5] |
| M1047 | Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| M1027 | Password Policies |
Set and enforce secure password policies for accounts. |
| M1026 | Privileged Account Management |
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. |
| M1018 | User Account Management |
Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0026 | Active Directory | Active Directory Credential Request |
Monitor requests of new ticket granting ticket or service tickets to a Domain Controller, such as Windows EID 4769 or 4768, that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
| DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
| DS0028 | Logon Session | Logon Session Creation |
Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. |
| DS0002 | User Account | User Account Authentication |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
| DS0006 | Web Credential | Web Credential Usage |
Monitor for an attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |