EXPLORE

← Back to Explore

T1550.002

Pass the Hash

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used ...

Windows

9

Detections

2

Sources

11

Threat Actors

BY SOURCE

5sigma4elastic

PROCEDURES (7)

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Pass The Hash1 detections

Auto-extracted: 1 detections for pass the hash

Lateral1 detections

Auto-extracted: 1 detections for lateral

THREAT ACTORS (11)

APT1 APT28 APT32 APT41 Aquatic Panda Chimera Ember Bear FIN13 GALLIUM Kimsuky Wizard Spider

DETECTIONS (9)

Local Account TokenFilter Policy Disabled

NTLMv1 Logon Between Client and Server

Pass the Hash Activity 2

Potential Kerberos Attack via Bifrost

Potential Pass-the-Hash (PtH) Attempt

Potential PowerShell Pass-the-Hash/Relay Script

Successful Overpass the Hash Attempt