T1550.002: T1550.002

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 01/04/2026 21:58

Essential information

MITRE technique ID: T1550.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 01/04/2026 21:58
Author / Source: The MITRE Corporation

Aliases

Pass the Hash

Platforms

windows

Description

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	lateral-movement

Marking (TLP)

External references

mitre-attack (T1550.002)
Stealthbits Overpass-the-Hash

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (16)

GALLIUM uses Granite Typhoon

The MITRE Corporation Confidence 100

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT1 uses Comment CrewComment Group

The MITRE Corporation Confidence 100

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crypt Ghouls uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Aquatic Panda uses

The MITRE Corporation Confidence 100

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–16 of 16

Babuk - S0638 uses

Family
SoftEther VPN uses

Family
Rubeus uses

Family
BRICKSTORM uses

Family
Cl0p uses

Family
HOPLIGHT uses
CobInt uses

Family
BADHATCH uses
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SharpHound uses

Family
mimikatz uses

Family
Babyk uses

Family

← Previous

Page / 2

1–12 of 24

Snow Flurries: How UNC6692 Employed Social Engineering to … related

20 MITREs 4 Malwares 7 Observables 1 APT
AI-augmented threat actor accesses FortiGate devices at scale related

3 CVEs 20 MITREs 2 Malwares 2 Observables
Stranger Strings: Yurei Ransomware Operator Toolkit Exposed related

AlienVault Confidence 100 4 MITREs 4 IOCs 4 Observables

· threat-report
CL0P Ransomware: Latest Attacks related

1 CVE 35 MITREs 1 Malware 6 Observables 1 APT
Play Ransomware Engagement related

17 MITREs 3 Malwares 1 APT
Analyzing the familiar tools used by the Crypt … related

18 MITREs 5 Malwares 1 Observable 1 APT
BlackSuit Ransomware related

25 MITREs 6 Malwares 16 Observables
Analysis of Attack Case Installing VPN on Korean … related

7 MITREs 1 Malware 11 Observables

Vulnerabilities (CVE) (12)

CVE-2023-27532 KEV targets

7.5 High

Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …

Attack vector: Network
Published: 22/08/2023
Modified: 27/05/2026

CVE-2025-24071 targets

6.5 Medium

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.

Attack vector: Network
Published: 11/03/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2025-23266 targets

9.0 Critical

NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute …

Published: 17/07/2025
Modified: 17/07/2025

Awaiting Analysis

CVE-2024-43451 KEV targets

6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector: Network
Published: 12/11/2024
Modified: 27/05/2026

Analyzed

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2024-40711 KEV targets

9.8 Critical

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Attack vector: Network
Published: 17/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-50623 KEV targets

9.8 Critical

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …

Attack vector: Network
Published: 13/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-49706 KEV targets

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2019-7192 targets

CVE-2025-24054 KEV targets

6.5 Medium

Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over …

Attack vector: Network
Published: 17/04/2025
Modified: 27/05/2026

Awaiting Analysis

Attack patterns (MITRE) (1)

T1550 subtechnique-of

Use Alternate Authentication Material MITRE

Tool (5)

Mimikatz uses

The MITRE Corporation Confidence 100

[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
Pass-The-Hash Toolkit uses

The MITRE Corporation Confidence 100

[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
CrackMapExec uses

The MITRE Corporation Confidence 100

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…

Course Of Action (4)

User Account Management mitigates
Update Software mitigates
User Account Control mitigates
Privileged Account Management mitigates

Campaign (3)

Operation Digital Eye uses
Night Dragon uses
2025 Poland Wiper Attacks uses

Contact About Legal notice Privacy policy Terms of use