T1550.002 Elastic Security · Elastic

Detect Pass the Hash in Elastic Security

Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec.

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Sub-technique
T1550.002 Pass the Hash
Canonical reference
https://attack.mitre.org/techniques/T1550/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.code == "4624" and
    event.provider == "Microsoft-Windows-Security-Auditing" and
    winlog.event_data.LogonType in ("3", "9") and
    winlog.event_data.AuthenticationPackageName : "NTLM" and
    not winlog.event_data.TargetUserName : ("*$", "ANONYMOUS LOGON", "IUSR", "DWM-*", "UMFD-*", "LOCAL SERVICE", "NETWORK SERVICE", "Window Manager", "Font Driver Host") and
    winlog.event_data.IpAddress != null and
    not winlog.event_data.IpAddress in ("-", "::1", "127.0.0.1", "")
  ) or (
    event.code == "10" and
    event.provider == "Microsoft-Windows-Sysmon" and
    winlog.event_data.TargetImage : "*\\lsass.exe" and
    winlog.event_data.GrantedAccess in ("0x1010", "0x1438", "0x143a", "0x40", "0x1fffff") and
    not winlog.event_data.SourceImage : (
      "*\\MsMpEng.exe", "*\\Taskmgr.exe", "*\\procexp.exe", "*\\procexp64.exe",
      "*\\WmiPrvSE.exe", "*\\svchost.exe", "*\\csrss.exe", "*\\wininit.exe",
      "*\\SecurityHealthService.exe", "*\\perfmon.exe", "*\\lsm.exe"
    )
  )
high severity high confidence

Detects Pass the Hash (T1550.002) via two branches: (1) Windows Security Event 4624 with NTLM authentication and LogonType 3 (classic PtH lateral movement) or LogonType 9 (Mimikatz sekurlsa::pth /netonly spawning a process with injected credentials on the source host), filtering service accounts and loopback addresses; (2) Sysmon Event 10 capturing suspicious LSASS process access with known credential-dumping access masks (0x1010, 0x1438, 0x143a, 0x40, 0x1fffff), excluding legitimate system and security tooling, representing the credential harvesting step that precedes a PtH attack.

Data Sources

Windows Security Event Log (Event ID 4624)Sysmon Event Log (Event ID 10 — Process Access)

Required Tables

winlogbeat-*logs-endpoint.events.authentication*.ds-logs-system.security*.ds-logs-windows.sysmon_operational*

False Positives & Tuning

  • Legacy enterprise applications (e.g., older ERP or print management software) that force NTLM authentication over the network and generate Type 3 logons from service accounts — tune by excluding the specific source IPs or well-known service account names after baselining.
  • Administrators using 'runas /netonly' with domain credentials on a non-domain-joined workstation to access network resources generate LogonType 9 with NTLM; these are operationally legitimate but indistinguishable from Mimikatz pth /netonly without additional process ancestry context.
  • Endpoint security products, crash dump tooling (WER), and custom monitoring agents that legitimately open LSASS with broad access masks will trigger the LSASS branch — build and maintain an approved-binary allowlist by SHA256 hash in addition to filename exclusions, as filenames can be spoofed.
Download portable Sigma rule (.yml)

Other platforms for T1550.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz sekurlsa::pth Hash Injection

    Expected signal: Sysmon Event ID 10: mimikatz.exe accessing lsass.exe with GrantedAccess 0x1438. Sysmon Event ID 1: cmd.exe spawned with ParentImage=mimikatz.exe, showing abnormal parent-child relationship. Security Event ID 4624 on the local machine with LogonType=9 (NewCredentials) and AuthenticationPackageName=NTLM when the injected cmd.exe makes its first outbound connection. Security Event ID 4624 on any target system accessed from the injected session shows LogonType=3 with NTLM.

  2. Test 2Invoke-SMBExec Pass the Hash Lateral Movement

    Expected signal: Security Event ID 4624 on target (192.168.1.10): LogonType=3, AuthenticationPackageName=NTLM — primary PtH authentication event. Sysmon Event ID 3 on source: outbound TCP connection to 192.168.1.10:445. Security Event ID 7045 on target: new service installed with random 7-character name and ImagePath pointing to cmd.exe. Sysmon Event ID 1 on target: cmd.exe spawned by the transient service process.

  3. Test 3Impacket psexec.py Pass the Hash from Linux

    Expected signal: Security Event ID 4624 on Windows target: LogonType=3, AuthenticationPackageName=NTLM, IpAddress=<Linux attacker IP> — source IP being non-Windows is a high-fidelity indicator. Security Event ID 7045: new service named 'PSEXESVC' or randomly named service installed on target. Sysmon Event ID 1 on target: cmd.exe spawned by the installed Impacket service. Network captures show SMB NTLM authentication with challenge-response originating from a Linux host.

  4. Test 4CrackMapExec Pass the Hash Subnet Sweep

    Expected signal: Multiple Security Event ID 4624 (LogonType=3, AuthenticationPackageName=NTLM) on each host in the subnet that responds — all originating from the same attacker source IP in rapid succession. Security Event ID 4625 (failed logon, LogonType=3, NTLM) on hosts where the hash is invalid. High volume of authentication events from a single source IP in a short window creates a clear spike in the SecurityEvent table.

Last updated: 2026-04-20 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1550.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.001Application Access TokenT1550.003Pass the TicketT1550.004Web Session Cookie

Related Techniques

T1003.001LSASS MemoryT1550Use Alternate Authentication MaterialT1550.003Pass the TicketT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1569.002Service ExecutionT1078Valid AccountsT1562.001Disable or Modify ToolsT1134.001Token Impersonation/TheftT1558.001Golden Ticket

Same Tactic: Defense Evasion

Popular Detections