T1550Lateral Movement

Use Alternate Authentication Material

Pass-the-hash, pass-the-ticket, application access tokens.

§ Where this technique fits

T1550 is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 5.3 on average.

Authoritative reference: attack.mitre.org/techniques/T1550/.

§ Dossiers chaining this technique

SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
step 3 / 5
iOS URL scheme hijack → OAuth code theft
Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.
step 6 / 6
OAuth redirect_uri misconfig → account takeover
Provider accepts loose redirect_uri matching (wildcard, partial, open-redirect chain). Steal the authorization code by redirecting it through an attacker host.
step 7 / 8

§ What commonly comes next

01
Broken Function Level Authorization (API BFLA)
W-BFLA · Privilege Escalation
seen 1×
02
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SAML signature wrapping (XSW) → impersonate admin

iOS URL scheme hijack → OAuth code theft

OAuth redirect_uri misconfig → account takeover

§ What commonly comes next