Pass the Hash
Authenticate to a remote service with an NT hash instead of a plaintext password.
§ Where this technique fits
T1550.002 is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 5 approved dossiers in the registry, typically at step 6.2 on average.
Authoritative reference: attack.mitre.org/techniques/T1550/002/.
§ Dossiers chaining this technique
- step 5 / 5
Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.
- step 6 / 6
Unpatched Confluence (CVE-2023-22515) → internal foothold
Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.
- step 6 / 6
Jenkins /script Groovy console → RCE → AD
Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.
- step 7 / 7
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
- step 7 / 8
No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
§ What commonly comes next
- 01DCSyncseen 1×T1003.006 · Credential Access