title: Pass the Hash (T1550.002)
id: df00tech-t1550-002
status: experimental
description: "Adversaries may 'pass the hash' using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to perform 'overpass the hash,' using the NTLM hash to create a valid Kerberos ticket for further lateral movement. Threat actors including APT28, APT32, APT41, Wizard Spider, FIN13, Chimera, and Kimsuky have all operationalized PtH using tools such as Mimikatz, Cobalt Strike, Invoke-SMBExec, Impacket, and CrackMapExec."
references:
  - https://attack.mitre.org/techniques/T1550/002/
  - https://df00tech.com/detections/T1550.002
author: df00tech
date: 2026/04/20
tags:
  - attack.t1550.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT monitoring and management agents (Datadog, SolarWinds, PRTG) authenticating via NTLM when Kerberos SPN is not properly configured for the monitoring service account"
  - "Backup solutions (Veeam, Commvault, Veritas) using service accounts that fall back to NTLM when accessing remote file shares across domain boundaries or when Kerberos delegation is unavailable"
  - "Vulnerability scanners (Nessus, Qualys, Rapid7) performing credentialed NTLM authentication sweeps across network segments during authorized scan windows"
  - Legacy applications and services with no Kerberos support that always use NTLM for authentication — particularly common with older line-of-business apps and some industrial control system software
  - "Cross-domain or cross-forest authentication where no Kerberos trust is established, forcing legitimate NTLM fallback for users accessing resources in untrusted domains"
level: high