Active Directory Attacks Demystified: Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Beyond

Key Takeaways Introduction Active Directory (AD) remains the backbone of identity and access management for most enterprises, controlling authentication, authorization, and access across users, endpoints, servers, and applications. Because of this central role, Active Directory is also one of the most targeted components in enterprise environments. Modern attackers rarely rely on noisy malware or brute-force […]

---

Active Directory Attacks Demystified: Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Beyond

[Image: Prashant Sheshnaryan Pawar]

Prashant Sheshnaryan Pawar, Lead Threat Research Engineer, Qualys

February 11, 2026 - 13 min read

Table of Contents

- Key Takeaways
- Introduction
- The Basic Structure of Active Directory
- Active Directory Attack Paths
- Pass-the-Hash (PtH) Attack
- Pass-the-Ticket (PtT) Attack
- Privilege Escalation Attack for Domain Take Over
- How Qualys ETM Identity Detects These Types of Attacks
- Conclusion
- Contributors

Key Takeaways

- Active Directory attacks are identified as a significant threat in enterprise environments, with 74% of breaches involving compromised identities according to the Verizon DBIR 2025.

- Pass-the-Hash (PtH) attacks facilitate lateral movement by allowing the reuse of stolen NTLM hashes without cracking passwords, which can lead to privilege escalation and domain compromise.

- Pass-the-Ticket (PtT) attacks use stolen Kerberos tickets (TGT/TGS) to impersonate users, enabling stealthy persistence and access until the tickets expire.

- Common pathways for Active Directory attacks typically include the following sequence: initial access → credential dumping (LSASS) → PtH or PtT → lateral movement → privilege escalation → domain takeover. Techniques such as Kerberoasting, golden/silver tickets, DCSync, and weak ACLs can enhance Active Directory attacks by utilizing existing permissions to create hidden escalation routes.

- Qualys ETM Identity offers continuous visibility into identity risk across Active Directory, Entra ID, and Okta, detecting toxic privileges, attack paths, and exploitable conditions. Mitigation strategies generally advocate for least-privilege enforcement, NTLM restriction, Kerberos hardening, and real-time monitoring. Qualys ETM Identity supports these efforts by automating detection and response.

- Qualys ETM Identity approach transitions from reactive to proactive defense by mapping Active Directory attack paths and validating exploitability to help prevent domain dominance.

**Introduction**

Active Directory (AD) remains the backbone of identity and access management for most enterprises, controlling authentication, authorization, and access across users, endpoints, servers, and applications. Because of this central role, Active Directory is also one of the most targeted components in enterprise environments.

Modern attackers rarely rely on noisy malware or brute-force techniques. Instead, they exploit identity-based weaknesses, steal credentials, abuse authentication protocols, and move laterally across systems until they achieve domain dominance. Techniques such as Pass-the-Hash (PtH), Pass-the-Ticket (PtT), Kerberoasting, and token manipulation allow adversaries to impersonate legitimate users and administrators, often without triggering traditional security alerts.

Phishing and social engineering remain the most common entry points, enabling attackers to compromise credentials or deploy malware. Once inside, attackers leverage stolen identities to escalate privileges and expand access across the environment. A single compromised credential can quickly lead to full domain compromise if identity exposures and privilege relationships are not continuously monitored.

These identity-driven attacks typically follow a predictable pattern:

Initial Access → Credential Dumping (LSASS) → Pass-the-Hash or Pass-the-Ticket → Lateral Movement → Privilege Escalation → Domain Takeover → Ransomware or Malware Deployment

Qualys Enterprise TruRisk Management (ETM) addresses this challenge by shifting the focus from isolated security events to continuous identity risk visibility and attack path analysis. Rather than treating credential abuse as a post-breach activity, Qualys ETM helps organizations identify exposed credentials, detect risky privilege paths, and understand how attackers can chain identity weaknesses together to reach critical assets such as domain controllers.

Understanding how attacks like Pass-the-Hash and Pass-the-Ticket work and how to detect and mitigate them early is essential to securing Active Directory and preventing domain-wide compromise.

---

See how Qualys ETM visualizes real attack paths and detects identity-based threats.

Request a Demo

---

**The Basic Structure of Active Directory**

To understand AD attacks, it helps first to understand how Active Directory is structured.

Active Directory is Microsoft’s identity and access management (IAM) service for Windows-based enterprise environments. Active Directory operates as a centralized identity system built on several core components:

- Domain Controllers (DCs): Authenticate users and enforce policies

- Users and Groups: Control access to systems and resources

- Service Accounts: Enable applications and services to run

- Kerberos and NTLM Authentication: Validate identity and grant access

- Group Policy Objects (GPOs): Enforce security configurations across systems

When a user logs in, AD validates credentials and issues authentication tokens or tickets that allow access to resources across the environment.

This centralized trust model simplifies administration, but it also means that if attackers compromise identity credentials, they can move across systems with minimal resistance.

**Active Directory Attack Paths**

Modern attackers do not immediately target domain controllers. Instead, they follow attack paths, a sequence of steps that gradually increase access and privileges. Any chain of misconfigurations, excessive privileges, or trust relationships that an attacker can pivot through to gradually escalate privileges, often with the end goal of domain or enterprise admin control.

A typical AD attack path may include:

- Initial compromise of a user endpoint

- Credential harvesting from memory or disk

- Lateral movement across systems

- Privilege escalation to administrative accounts

- Domain takeover and persistence

Common contributors include:

- Pass-the-Hash attack

- Pass-the-Ticket attack

- Silver ticket attack

- Golden ticket attack

- DCsync and DC Shadow attack

- Weak Access Control Lists (ACLs) on AD objects that allow privilege escalation

This blog covers three primary attack techniques: Pass-the-Hash, Pass-the-Ticket, and related privilege escalation paths in the post-exploitation phase.

**Pass-the-Hash (PtH) Attack**

Pass-the-Hash is a credential-replay technique in which an attacker authenticates using a user’s NTLM hash instead of their plaintext password. In Windows environments, passwords are stored and processed as hash values. If attackers extract these hashes from memory (for example, from LSASS), they can reuse them directly for authentication without cracking the original password.

Admins often log in to user systems for troubleshooting, maintenance, or support activities. For Pass-the-Hash to be possible, this admin logon is necessary because only then is the admin’s NTLM hash stored in LSASS. Windows accepts NTLM hashes directly for NTLM-based authentication.

If an attacker compromises a system and extracts hashed credentials (e.g., via LSASS dumping), they can use those hashes to authenticate to other systems without ever cracking the password.

Tools such as Mimikatz, Rubeus, Impacket, or PsExec are commonly used to perform PTH.Below is a diagrammatic representation of PTH.

Fig. 1: PtH Attack Workflow

Setup: A local lab environment where “Node01\admin” is a regular domain user and

” citrix.local” is a domain controller that has an Active Directory installed on it. We are using “mimikatz” on a local user to attack the DC.

Below are the steps.

- Check privilege, if in debug mode.

- Dump lsass.exe to extract credentials using sekurlsa::logonpasswords command.

Here we got ‘ntlm’ hash for the domain controller, which is used in PtH.

- If the extraction is successful, use the command below to pass the hash directly to open cmd.exe.

The above command directly opens cmd.exe. If we check now, it shows Node01\admin, but if we try to access dc60 with PSExec, it connects and shows citrix\administrator as shown below.

The figure below demonstrates how these steps lead to admin access to the domain controller.
Fig. 2: Final Stage of PtH Attack After Domain Admin Access

#### Impact

- Attackers use stolen NTLM password hashes to authenticate without knowing the actual password.

- Enables immediate lateral movement across systems that accept NTLM authentication.

- It can lead to privilege escalation if the compromised hash belongs to an admin or privileged user.

- Hashes don’t expire until the password changes, allowing long-term persistence.

- PTH can ultimately result in full domain compromise when admin hashes are obtained.

#### Mitigation

- Disable or restrict NTLM wherever possible; enforce Kerberos as the default.

- Implement a local administrator password solution (LAPS / LAPS2) to randomize local admin passwords.

- Enforce least privilege—avoid users with admin rights logging into multiple machines.

- Enable SMB signing to reduce NTLM relay risks.

- Regularly rotate privileged passwords / hashes (especially for Tier-0 accounts).

**Pass-the-Ticket (PtT) Attack**

A Pass-the-Ticket (PtT) attack occurs when an attacker retrieves valid Kerberos tickets, such as Ticket Granting Ticket (TGT) or service tickets (TGSs), from the memory of a compromised Windows system. Attackers who obtain these tickets can reuse them to impersonate the user.

Since Kerberos tickets serve as trusted proof of authentication, any system that relies on Kerberos will accept the attacker as the legitimate user, granting them the same level of access the real user would generally have.

Below is a diagrammatic representation of PtT.

Fig. 3: PtT Attack Workflow

Setup: A local lab environment where “citrix\user01” is a regular domain user and “citrix.local” is a domain controller running Active Directory. We are using “mimikatz” on a local user to attack the DC. Below are the steps.

- Check privilege if in debug mode.

- Use DcSync to get the KRBTGT hash.

- Next, we need the domain SID, the krbtgt hash, which we got above.

As shown above, the ticket is generated and saved to a file.

- Now we need to load this ticket as shown below.

- The ticket is loaded. Now, we can access the admin CMD as shown below.

“misc::cmd” – This command opens the Command Prompt as the local user. First, verify the current user and then attempt to connect using PSExec. After establishing the connection, verify the user again. The process is shown below.

We now have admin access, citrix\administrator.
Fig. 4: Final stage of a Pass-the-Ticket (PtT) Attack Workflow

#### Impact

- Attackers use stolen Kerberos TGTs/TGS tickets instead of passwords or hashes.

- TGTs allow adversaries to impersonate any user until the ticket expires (usually hours to days).

- Compromise of a domain controller’s KRBTGT key enables golden ticket attacks, granting unlimited impersonation.

- PtT provides stealthy, difficult-to-detect persistence because logs may show legitimate-looking Kerberos activity.

- This can lead to complete domain takeover if high-privilege tickets are captured.

#### Mitigation

- Enforce Kerberos FAST / Armoring to protect ticket-granting exchanges.

- Reduce ticket lifetime (TGT/TGS) to limit an attacker’s window of opportunity.

- Enable PAC validation to prevent forged tickets.

Below is a screenshot of the Qualys ETM Identity product which detects PtT.

In identity graphs, this relationship is simple but critical:

(User) ──[DCSync]──> (Domain)

If such an identity is ever impersonated, the entire domain is at risk.

Fig. 5: Dcsync Detection

**Privilege Escalation Attack for Domain Take Over**

#### The Hidden Path to Domain Admin

At first glance, the access and privileges in this scenario appear to support routine IT operations. In reality, they form a dangerous attack chain that bypasses traditional defenses because each step is technically “allowed,” even though it was never intended to be combined with the others.

The example below illustrates how legitimate permissions, inherited trust relationships, and active privileged sessions can be chained together to create a hidden path to domain dominance without exploiting a single software vulnerability.

#### From Support Desk to Domain Dominance

The compromise begins with Daniel.George, a low-privileged IT support user. He holds no administrative rights and triggers no alerts, but he belongs to the IT-RemoteAccess-Users group. This legitimate access allows him to RDP into WKST-IT-037, a shared administrative workstation used for daily operations.

Shared systems often become ideal pivot points. On this machine, a privileged user, Barry.Jessop has an active session. At this stage, the attacker does not need to exploit a vulnerability; they simply hijack the exposed identity of a senior administrator and encounter:

- No admin rights at first.

- No obvious risk indicators.

- Privileged sessions often remain active.

- Cached credentials

- Multiple trust boundaries collapse into a single machine.

Permissions such as WriteDACL, GenericAll, and WriteOwner are commonly assigned for operational convenience but can introduce significant risk when not continuously monitored. When chained across users, groups, and systems, these permissions create hidden escalation paths that allow attackers to grant themselves elevated privileges, impersonate administrators, and move toward domain takeover, all while operating within legitimate access boundaries.

#### The Silent Threat: WriteDACL & Nested Trust

The attack becomes critical through the abuse of WriteDACL. Because Barry Jessop has permission to modify the access control list (ACL) of the Citrix-HelpDesk-Tier1-Admin group, the attacker can quietly grant themselves completecontrol. Unlike adding a user directly to a group, modifying a DACL generates minimal audit noise and often goes unnoticed.

Because this group is nested within Domain Admins for operational convenience, the attacker inherits the keys to the kingdom. This nesting is rarely reviewed, allowing the attacker to slide into the highest tier of privilege unnoticed. With this access, they can:

- Modify the group’s access control list (ACL).

- Grant themselves full control.

- Add themselves to the group without touching membership directly.

#### The Final Blow: DCSync Persistence

Once Domain Admin rights are obtained, the final step is DCSync. The attacker replicates password hashes for every user in the organization and extracts Kerberos secrets. At this stage, the environment is fully compromised, and the attacker has achieved persistent, stealthy control that no traditional tool can see.

The attacker then:

- Replicates password hashes for all users.

- Extracts Kerberos secrets.

- Achieves persistent, stealthy domain control.

- Completes full takeover.

Fig. 6: Qualys ETM Detecting a Privilege Escalation Attack

**How Qualys ETM Identity Detects These Types of Attacks**

Qualys Enterprise TruRisk Management (ETM) Identity is a specialized security capability designed to continuously monitor, analyze, and secure an organization’s identity infrastructure. As identity has become the new perimeter, ETM Identity provides unified visibility into identity risk across users, systems, and privilege relationships, helping organizations understand how attackers exploit identity exposures to move toward domain takeover.

Rather than focusing only on isolated events, Qualys ETM Identity evaluates the underlying health and configuration of the identity environment to detect conditions that enable Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and other credential-based attacks.

It focuses on the following areas:

- Lateral Movement Path Mapping: ETM identity uses graph-based analysis to visualize how a single compromised hash can be used to move across systems. It identifies toxic privilege combinations that enable PtT and PtH attacks.

- Configuration Hygiene (AD/Entra ID): ETM flags identity misconfiguration such as weak NTLM settings or legacy protocol support that allow attackers to easily capture and reuse hashes.

- Real-Time Integrity Monitoring: ETM continuously monitors Active Directory objects for suspicious changes, including unauthorized group membership updates or privilege escalations that often precede or follow PtH and PtT attacks.

- Credential Correlation: ETM correlates with identity risk with asset criticality. It flags when privileged accounts are exposed on high-risk or internet-facing systems.

By combining identity visibility, configuration analysis, and attack path detection, Qualys ETM Identity helps organizations identify and break the chains that enable credential abuse and domain compromise.

**Conclusion**

Pass-the-Hash and Pass-the-Ticket attacks thrive in environments where organizations lack visibility into their identity infrastructure. They succeed because they weaponize trust, the very foundation on which Active Directory is built. When credential exposure, misconfigurations, and overprivileged access go unnoticed, attackers can move laterally and escalate privileges without triggering traditional security controls.

Implementing a robust identity security posture management enables organizations to detect these risks early, understand the context in which they occur, and systematically eliminate the conditions that will allow credential-based attacks. As threat actors increasingly target identity to achieve domain dominance, identity security has evolved from a supporting function into a critical control for enterprise resilience.

---

Operationalize identity risk reduction across Active Directory, Entra ID, and IDaaS environments with Qualys ETM Identity.

Start Your Trial Today.

---

Contributors

- Makarand Khiste, Threat Research Engineer, Malware Detection Solutions

#### Related

---

[Original source](https://blog.qualys.com/product-tech/2026/02/11/qualys-etm-detect-pass-the-hash-pass-the-ticket-attacks)