Description
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.
When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform Pass the Ticket attacks.(Citation: Stealthbits Overpass-the-Hash)
Platforms
Mitigations (4)
Update SoftwareM1051
Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.(Citation: NSA Spotting)
User Account ControlM1052
Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy.
Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on netw
User Account ManagementM1018
Do not allow a domain user to be in the local administrator group on multiple systems.
Privileged Account ManagementM1026
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used pass the hash for lateral movement.(Citation: Cybereason Cobalt Kitty 2017) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used pass the hash for lateral movement.(Citation: Microsoft SIR Vol 19) |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) used a registry edit to enable a Windows feature called <code>RestrictedAdmin</code> in victim ... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has dumped password hashes for use in pass the hash authentication attacks.(Citation: NCC Group Chime... |
| G0006 | APT1 | The [APT1](https://attack.mitre.org/groups/G0006) group is known to have used pass the hash.(Citation: Mandiant APT1) |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used the `Invoke-SMBExec` PowerShell cmdlet to execute the pass-the-hash technique and util... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) uses tools such as [Mimikatz](https://attack.mitre.org/software/S0002) to enable lateral movement via c... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used pass the hash for authentication to remote access software used in C2.(Citation: CISA AA20-3... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral moveme... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used pass-the-hash techniques for lateral movement in victim environments.(Citation: CISA GRU2... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used dumped hashes to authenticate to other machines via pass the hash.(Citation: Cybereason Soft Cel... |
Associated Software (8)
| ID | Name | Type | Context |
|---|---|---|---|
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can perform pass the hash.(Citation: Cobalt Strike TTPs Dec 2017) |
| S0122 | Pass-The-Hash Toolkit | Tool | [Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) can perform pass the hash.(Citation: Mandiant APT1) |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) has been observed loading several APIs associated with Pass the Hash.(Citation: US-CERT HOPLIGHT A... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) has a number of modules that leverage pass the hash for lateral movement.(Citation: GitHub PoshC2) |
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002)'s <code>SEKURLSA::Pth</code> module can impersonate a user, with only a password hash, to execute ... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can perform pass the hash attacks.(Citation: Github PowerShell Empire) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can perform pass the hash on compromised machines with x64 versions.(Citation: BitDefender BADHATC... |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can pass the hash to authenticate via SMB.(Citation: CME Github September 2018) |
References
- Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.
Frequently Asked Questions
What is T1550.002 (Pass the Hash)?
T1550.002 is a MITRE ATT&CK technique named 'Pass the Hash'. It belongs to the Lateral Movement tactic(s). Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a us...
How can T1550.002 be detected?
Detection of T1550.002 (Pass the Hash) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1550.002?
There are 4 documented mitigations for T1550.002. Key mitigations include: Update Software, User Account Control, User Account Management, Privileged Account Management.
Which threat groups use T1550.002?
Known threat groups using T1550.002 include: APT32, APT28, Aquatic Panda, Chimera, APT1, Wizard Spider, APT41, Kimsuky.