T1550.002 Pass the Hash Mappings

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1550.002 Pass the Hash
AC-3 Access Enforcement Protects T1550.002 Pass the Hash
AC-5 Separation of Duties Protects T1550.002 Pass the Hash
AC-6 Least Privilege Protects T1550.002 Pass the Hash
CM-5 Access Restrictions for Change Protects T1550.002 Pass the Hash
CM-6 Configuration Settings Protects T1550.002 Pass the Hash
IA-2 Identification and Authentication (organizational Users) Protects T1550.002 Pass the Hash
SI-2 Flaw Remediation Protects T1550.002 Pass the Hash

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_sentinel Azure Sentinel technique_scores T1550.002 Pass the Hash
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can perform pass the hash attacks, but does not address other procedures.
References
    microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1550.002 Pass the Hash
    Comments
    This control's "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. This control's "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.
    References
      azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1550.002 Pass the Hash
      Comments
      This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.
      References