Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1550.002 | Pass the Hash |
| AC-3 | Access Enforcement | Protects | T1550.002 | Pass the Hash |
| AC-5 | Separation of Duties | Protects | T1550.002 | Pass the Hash |
| AC-6 | Least Privilege | Protects | T1550.002 | Pass the Hash |
| CM-5 | Access Restrictions for Change | Protects | T1550.002 | Pass the Hash |
| CM-6 | Configuration Settings | Protects | T1550.002 | Pass the Hash |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1550.002 | Pass the Hash |
| SI-2 | Flaw Remediation | Protects | T1550.002 | Pass the Hash |
| azure_sentinel | Azure Sentinel | technique_scores | T1550.002 | Pass the Hash |
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1550.002 | Pass the Hash |
| azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1550.002 | Pass the Hash |