T1550.002: T1550.002
Essential information
- MITRE technique ID
T1550.002- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 01/04/2026 21:58
- Author / Source
- The MITRE Corporation
Aliases
Pass the Hash
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (16)
-
The MITRE Corporation Confidence 100
[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
Jumpy Pisces usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:07 · Modified 21/12/2025 08:07
-
UAC-0194 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:25 · Modified 21/12/2025 08:25
-
The MITRE Corporation Confidence 100
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 08/04/2026 13:02 -
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
UNC6692 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 27/04/2026 16:41 · Modified 27/04/2026 16:41
-
The MITRE Corporation Confidence 100
[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
CL0P usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:50 · Modified 21/12/2025 18:20
-
Chimera usesThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
Malware (24)
-
Babuk - S0638 usesFamilyPublished 20/03/2026 08:24 · Modified 20/03/2026 08:24
-
SoftEther VPN usesFamilyPublished 17/06/2024 11:19 · Modified 17/06/2024 11:19
-
Rubeus usesFamilyPublished 30/04/2026 10:11 · Modified 30/04/2026 10:11
-
BRICKSTORM usesFamilyPublished 05/06/2026 18:07 · Modified 05/06/2026 18:07
-
Cl0p usesFamilyPublished 12/02/2025 16:15 · Modified 12/02/2025 16:15
- HOPLIGHT
-
CobInt usesFamilyPublished 13/03/2025 14:58 · Modified 13/03/2025 14:58
- BADHATCH
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
-
SharpHound usesFamilyPublished 16/01/2026 13:31 · Modified 16/01/2026 13:31
-
mimikatz usesFamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
-
Babyk usesFamilyPublished 09/10/2025 20:09 · Modified 09/10/2025 20:09
Reports (8)
-
20 MITREs 4 Malwares 7 Observables 1 APTPublished 23/04/2026 19:25 · Modified 27/04/2026 14:43
-
3 CVEs 20 MITREs 2 Malwares 2 ObservablesPublished 21/04/2026 16:20 · Modified 22/04/2026 08:59
-
AlienVault Confidence 100 4 MITREs 4 IOCs 4 ObservablesPublished 01/04/2026 20:38 · Modified 01/04/2026 19:58 · threat-report
-
CL0P Ransomware: Latest Attacks related1 CVE 35 MITREs 1 Malware 6 Observables 1 APTPublished 12/02/2025 16:15 · Modified 12/02/2025 20:44
-
Play Ransomware Engagement related17 MITREs 3 Malwares 1 APTPublished 30/10/2024 16:32 · Modified 30/10/2024 22:33
-
18 MITREs 5 Malwares 1 Observable 1 APTPublished 18/10/2024 14:09 · Modified 21/10/2024 09:54
-
BlackSuit Ransomware related25 MITREs 6 Malwares 16 ObservablesPublished 27/08/2024 08:35 · Modified 27/08/2024 09:06
-
7 MITREs 1 Malware 11 ObservablesPublished 17/06/2024 11:19 · Modified 17/06/2024 11:37
Vulnerabilities (CVE) (12)
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 27/05/2026
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
- Attack vector
- Network
- Published
- 11/03/2025
- Modified
- 27/05/2026
NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute …
- Published
- 17/07/2025
- Modified
- 17/07/2025
Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …
- Attack vector
- Network
- Published
- 12/11/2024
- Modified
- 27/05/2026
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …
- Attack vector
- NETWORK
- Published
- 21/07/2025
- Modified
- 21/12/2025
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
- Attack vector
- Network
- Published
- 17/10/2024
- Modified
- 21/12/2025
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …
- Attack vector
- Network
- Published
- 13/12/2024
- Modified
- 21/12/2025
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …
- Attack vector
- Network
- Published
- 20/07/2025
- Modified
- 21/12/2025
Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …
- Attack vector
- Network
- Published
- 17/04/2025
- Modified
- 27/05/2026
Attack patterns (MITRE) (1)
-
T1550 subtechnique-ofUse Alternate Authentication Material
Tool (5)
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents …
Published 11/03/2019 15:13 · Modified 27/03/2026 01:07 -
The MITRE Corporation Confidence 100
[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while …
Published 23/04/2019 14:31 · Modified 27/03/2026 01:07 -
CrackMapExec usesThe MITRE Corporation Confidence 100
[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted …
Published 17/07/2020 16:23 · Modified 27/03/2026 01:07
Course Of Action (4)
- User Account Management mitigates
- Update Software mitigates
- User Account Control mitigates
- Privileged Account Management mitigates
Campaign (3)
- Operation Digital Eye uses
- Night Dragon uses
- 2025 Poland Wiper Attacks uses