TIARAS - T1075: Pass the Hash

MITRE ATT&CK Technique

Lateral Movement T1075

Description

Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-05-31T21:30:59.339Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Pass the hash (PtH) is a method of authenticating as a user '
                "without having access to the user's cleartext password. This "
                'method bypasses standard authentication steps that require a '
                'cleartext password, moving directly into the portion of the '
                'authentication that uses the password hash. In this '
                'technique, valid password hashes for the account being used '
                'are captured using a Credential Access technique. Captured '
                'hashes are used with PtH to authenticate as that user. Once '
                'authenticated, PtH may be used to perform actions on local or '
                'remote systems. \n'
                '\n'
                'Windows 7 and higher with KB2871997 require valid domain user '
                'credentials or RID 500 administrator hashes. (Citation: NSA '
                'Spotting)',
 'external_references': [{'external_id': 'T1075',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1075'},
                         {'external_id': 'CAPEC-644',
                          'source_name': 'capec',
                          'url': 'https://capec.mitre.org/data/definitions/644.html'},
                         {'description': 'National Security Agency/Central '
                                         'Security Service Information '
                                         'Assurance Directorate. (2015, August '
                                         '7). Spotting the Adversary with '
                                         'Windows Event Log Monitoring. '
                                         'Retrieved September 6, 2018.',
                          'source_name': 'NSA Spotting',
                          'url': 'https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm'}],
 'id': 'attack-pattern--c23b740b-a42b-47a1-aec2-9d48ddd547ff',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'lateral-movement'}],
 'modified': '2025-10-24T17:49:20.221Z',
 'name': 'Pass the Hash',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Travis Smith, Tripwire'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About