Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0122: Pass-The-Hash Toolkit

Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. [1]

EnterpriseS0122ToolObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Pass-The-Hash Toolkit matters because it represents a way to use stolen password hashes as credentials, enabling access without knowing the cleartext password. For leaders, the practical issue is not the toolkit itself but whether the organization can prevent, detect, and investigate hash-based lateral movement, especially in Windows environments referenced by the related Pass the Hash technique.

Executive priority

Prioritize this as an identity and lateral-movement readiness issue. Ask whether privileged account hashes are protected, whether Windows authentication activity is logged well enough to support incident response, and whether SOC playbooks can distinguish legitimate administrative access from hash-based misuse. This behavior can affect business continuity because one compromised credential artifact may support movement across multiple systems if segmentation, privilege control, and monitoring are weak.

Technical view

ATT&CK links this tool to T1550.002 Pass the Hash under lateral movement on Windows. SOC and IR teams should validate coverage around Windows logon activity, remote administrative access, privileged account use, and authentication patterns that do not align with normal user or admin behavior. Because the tool object has no official detection text and no platforms listed directly, detection engineering should be anchored to the related Pass the Hash technique and local Windows authentication telemetry rather than assumptions about a specific executable or signature.

Likely telemetry

  • Windows authentication and logon events from endpoints and servers
  • Domain controller authentication records where applicable
  • Privileged account usage and administrative logon activity
  • Remote access or remote administration evidence between Windows systems
  • Endpoint process and security telemetry that can support investigation of suspicious lateral movement

Detection direction

  • Validate that logs exist for Windows lateral authentication paths relevant to Pass the Hash, especially on domain controllers, servers, and administrative workstations.
  • Baseline normal privileged administration so unusual source hosts, destination systems, account use, or timing can be reviewed with lower false-positive risk.
  • Correlate authentication events with endpoint activity and asset context; hash-based misuse may look like valid account access if viewed only as a successful logon.
  • Avoid relying only on tool-name or file-based detection because the official object provides no detection guidance and the behavior is represented through the related technique.
  • Use the APT1 relationship as historical threat-intelligence context only; do not treat it as evidence of current activity in the environment.

Mitigation priorities

  • Reduce exposure of privileged credential material through least privilege, administrative tiering, and limiting where privileged accounts can log on.
  • Harden Windows credential handling and remote administration paths according to organizational standards and the related Pass the Hash risk.
  • Segment critical systems so a reused or stolen hash cannot easily support broad lateral movement.
  • Ensure incident response procedures include rapid review of privileged account activity, containment of affected hosts, and credential reset or rotation decisions where evidence supports them.
  • Maintain audit-ready evidence showing that identity controls, logging, and monitoring are in place for lateral movement scenarios.
Analyst notes and limits

This tool is described by ATT&CK as allowing an adversary to pass a password hash to log in without knowing the original password. The strongest operational context comes from its relationship to T1550.002 Pass the Hash and the historical relationship indicating APT1 used the object, both sourced to the Mandiant APT1 report.

The tool object does not specify platforms, tactics, aliases, labels, or official detection guidance. Windows and lateral-movement framing come from the related Pass the Hash technique, not from the tool fields alone. Local telemetry, account architecture, and administrative practices are required to assess actual exposure and coverage.

Official MITRE ATT&CK definition

Pass-The-Hash Toolkit

Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1550.002 Pass the Hash Sub-technique

Pass-The-Hash Toolkit can perform pass the hash.CitationMandiant APT1
Associated objects

Groups, software, and campaigns

Group Enterprise

G0006: APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1550.002: Pass the Hash Enterprise uses · Group G0006: APT1 Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
80176b1a059476a2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 80176b1a0594…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant APT1

    Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.

    Open source URL
  2. [2]
    mitre-attack S0122
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use