TA0008 · ATT&CK Tactic
Lateral Movement
Move through the network after initial compromise. Pass-the-Hash uses the NTLM hash directly — no plaintext needed, no cracking required. One stolen hash can sweep the entire subnet.
T1550.002Pass-the-Hash
Authenticate to remote services using the NTLM hash of a user's password — no plaintext required. Stolen from LSASS or secretsdump, the hash is used directly in SMB/WMI authentication. CrackMapExec sweeps entire subnets in seconds.
Attack SimulationReady
# Hash obtained from LSASS dump on RESEARCH-STATION-01
# marcus.chen NTLM: aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
attacker@kali:~/impacket$
$
SIEM Alert — High
Foyl SIEM · ALT-2024-5140HIGH
"rule": "Pass-the-Hash — Admin Share Access", "event_id": 5140, "share_name": "ADMIN$", "source_ip": "185.220.101.42", "account": "marcus.chen", "hosts_accessed": 3, "logon_type": 3, "ntlm_only": true, "kerberos_absent": true, "investigation": "INV-2024-0087"