T1550.002 Pass the Hash Mappings

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1550.002 Pass the Hash
AC-3 Access Enforcement Protects T1550.002 Pass the Hash
AC-5 Separation of Duties Protects T1550.002 Pass the Hash
AC-6 Least Privilege Protects T1550.002 Pass the Hash
CM-5 Access Restrictions for Change Protects T1550.002 Pass the Hash
CM-6 Configuration Settings Protects T1550.002 Pass the Hash
IA-2 Identification and Authentication (organizational Users) Protects T1550.002 Pass the Hash
SI-2 Flaw Remediation Protects T1550.002 Pass the Hash
azure_sentinel Azure Sentinel technique_scores T1550.002 Pass the Hash
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1550.002 Pass the Hash
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1550.002 Pass the Hash