Active Directory Attacks Demystified: Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Beyond

Key Takeaways Introduction Active Directory (AD) remains the backbone of identity and access management for most enterprises, controlling authentication, authorization, and access across users, endpoints, servers, and applications. Because of this central role, Active Directory is also one of the most targeted components in enterprise environments. Modern attackers rarely rely on noisy malware or brute-force […]

Active Directory Attacks Demystified: Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Beyond

[Prashant Sheshnaryan Pawar]

Prashant Sheshnaryan Pawar, Lead Threat Research Engineer, Qualys

February 11, 2026 - 13 min read

Table of Contents

• Key Takeaways
• Introduction
• The Basic Structure of Active Directory
• Active Directory Attack Paths
• Pass-the-Hash (PtH) Attack
• Pass-the-Ticket (PtT) Attack
• Privilege Escalation Attack for Domain Take Over
• How Qualys ETM Identity Detects These Types of Attacks
• Conclusion
• Contributors

Key Takeaways

• Active Directory attacks are identified as a significant threat in enterprise environments, with 74% of breaches involving compromised identities according to the Verizon DBIR 2025.

• Pass-the-Hash (PtH) attacks facilitate lateral movement by allowing the reuse of stolen NTLM hashes without cracking passwords, which can lead to privilege escalation and domain compromise.

• Pass-the-Ticket (PtT) attacks use stolen Kerberos tickets (TGT/TGS) to impersonate users, enabling stealthy persistence and access until the tickets expire.

• Common pathways for Active Directory attacks typically include the following sequence: initial access → credential dumping (LSASS) → PtH or PtT → lateral movement → privilege escalation → domain takeover. Techniques such as Kerberoasting, golden/silver tickets, DCSync, and weak ACLs can enhance Active Directory attacks by utilizing existing permissions to create hidden escalation routes.

• Qualys ETM Identity offers continuous visibility into identity risk across Active Directory, Entra ID, and Okta, detecting toxic privileges, attack paths, and exploitable conditions. Mitigation strategies generally advocate for least-privilege enforcement, NTLM restriction, Kerberos hardening, and real-time monitoring. Qualys ETM Identity supports these efforts by automating detection and response.

• Qualys ETM Identity approach transitions from reactive to proactive defense by mapping Active Directory attack paths and validating exploitability to help prevent domain dominance.

Introduction

Active Directory (AD) remains the backbone of identity and access management for most enterprises, controlling authentication, authorization, and access across users, endpoints, servers, and applications. Because of this central role, Active Directory is also one of the most targeted components in enterprise environments.

Modern attackers rarely rely on noisy malware or brute-force techniques. Instead, they exploit identity-based weaknesses, steal credentials, abuse authentication protocols, and move laterally across systems until they achieve domain dominance. Techniques such as Pass-the-Hash (PtH), Pass-the-Ticket (PtT), Kerberoasting, and token manipulation allow adversaries to impersonate legitimate users and administrators, often without triggering traditional security alerts.

Phishing and social engineering remain the most common entry points, enabling attackers to compromise credentials or deploy malware. Once inside, attackers leverage stolen identities to escalate privileges and expand access across the environment. A single compromised credential can quickly lead to full domain compromise if identity exposures and privilege relationships are not continuously monitored.

These identity-driven attacks typically follow a predictable pattern:

Initial Access → Credential Dumping (LSASS) → Pass-the-Hash or Pass-the-Ticket → Lateral Movement → Privilege Escalation → Domain Takeover → Ransomware or Malware Deployment

Qualys Enterprise TruRisk Management (ETM) addresses this challenge by shifting the focus from isolated security events to continuous identity risk visibility and attack path analysis. Rather than treating credential abuse as a post-breach activity, Qualys ETM helps organizations identify exposed credentials, detect risky privilege paths, and understand how attackers can chain identity weaknesses together to reach critical assets such as domain controllers.

Understanding how attacks like Pass-the-Hash and Pass-the-Ticket work and how to detect and mitigate them early is essential to securing Active Directory and preventing domain-wide compromise.

See how Qualys ETM visualizes real attack paths and detects identity-based threats.

Request a Demo

The Basic Structure of Active Directory

To understand AD attacks, it helps first to understand how Active Directory is structured.

Active Directory is Microsoft’s identity and access management (IAM) service for Windows-based enterprise environments. Active Directory operates as a centralized identity system built on several core components:

• Domain Controllers (DCs): Authenticate users and enforce policies

• Users and Groups: Control access to systems and resources

• Service Accounts: Enable applications and services to run

• Kerberos and NTLM Authentication: Validate identity and grant access

• Group Policy Objects (GPOs): Enforce security configurations across systems

When a user logs in, AD validates credentials and issues authentication tokens or tickets that allow access to resources across the environment.

This centralized trust model simplifies administration, but it also means that if attackers compromise identity credentials, they can move across systems with minimal resistance.

Active Directory Attack Paths

Modern attackers do not immediately target domain controllers. Instead, they follow attack paths, a sequence of steps that gradually increase access and privileges. Any chain of misconfigurations, excessive privileges, or trust relationships that an attacker can pivot through to gradually escalate privileges, often with the end goal of domain or enterprise admin control.

A typical AD attack path may include:

• Initial compromise of a user endpoint

• Credential harvesting from memory or disk

• Lateral movement across systems

• Privilege escalation to administrative accounts

• Domain takeover and persistence

Common contributors include:

• Pass-the-Hash attack

• Pass-the-Ticket attack

• Silver ticket attack

• Golden ticket attack

• DCsync and DC Shadow attack

• Weak Access Control Lists (ACLs) on AD objects that allow privilege escalation

This blog covers three primary attack techniques: Pass-the-Hash, Pass-the-Ticket, and related privilege escalation paths in the post-exploitation phase.

Pass-the-Hash (PtH) Attack

Pass-the-Hash is a credential-replay technique in which an attacker authenticates using a user’s NTLM hash instead of their plaintext password. In Windows environments, passwords are stored and processed as hash values. If attackers extract these hashes from memory (for example, from LSASS), they can reuse them directly for authentication without cracking the original password.

Admins often log in to user systems for troubleshooting, maintenance, or support activities. For Pass-the-Hash to be possible, this admin logon is necessary because only then is the admin’s NTLM hash stored in LSASS. Windows accepts NTLM hashes directly for NTLM-based authentication.

If an attacker compromises a system and extracts hashed credentials (e.g., via LSASS dumping), they can use those hashes to authenticate to other systems without ever cracking the password.

Tools such as Mimikatz, Rubeus, Impacket, or PsExec are commonly used to perform PTH.Below is a diagrammatic representation of PTH.

Fig. 1: PtH Attack Workflow

Setup: A local lab environment where “Node01\admin” is a regular domain user and

[...]

Original source