What is Pass-the-Key?

Updated on September 11, 2025

Pass-the-Key attacks represent a sophisticated credential-based threat that exploits the Kerberos authentication protocol. Unlike password-based attacks, these attacks steal active session keys from memory to impersonate legitimate users without requiring passwords or password hashes.

This attack technique has become increasingly relevant as organizations rely heavily on Active Directory environments. Security professionals need to understand the mechanics of Pass-the-Key attacks to implement effective detection and prevention strategies.

How to Modernize Your AD Instance

The IT Professional’s Roadmap to Augmenting or Replacing AD

Download Today

Definition and Core Concepts

Pass-the-Key is a credential-based attack where a threat actor steals a valid Kerberos session key from a compromised system’s memory and uses it to forge an authenticator. This allows the attacker to gain access to services as the legitimate user without knowing their password.

Kerberos Protocol

The Kerberos authentication protocol uses tickets and session keys to secure network communications. When a user authenticates to a domain controller, Kerberos generates a session key that encrypts communication between the client and services. This session key becomes the target of Pass-the-Key attacks.

Session Key

A session key is a temporary, symmetric cryptographic key used to secure communication between a client and a service. The Key Distribution Center (KDC) generates these keys during the authentication process. Session keys have limited lifespans, typically lasting eight to ten hours by default.

Authenticator

An authenticator is a data structure encrypted with a session key that a client uses to prove its identity and the freshness of its request. The authenticator contains the user’s principal name, realm, and timestamp. Attackers forge authenticators using stolen session keys to impersonate legitimate users.

Lateral Movement

Lateral movement refers to the technique of an attacker moving from one compromised machine to another within a network. Pass-the-Key attacks enable lateral movement by allowing attackers to authenticate to additional services using stolen session keys.

How It Works

Pass-the-Key attacks follow a predictable sequence that security teams can monitor and detect.

Initial Compromise

An attacker gains initial access to a machine with a logged-on user. This compromise typically occurs through phishing, exploit kits, or other initial access vectors. The attacker must obtain elevated privileges on the compromised system to access memory where credentials are stored.

Credential Dumping

The attacker uses tools like Mimikatz to dump credentials from the system’s memory. Mimikatz can extract active Kerberos session keys along with other credential material. This process requires administrative privileges on the target system.

The tool accesses the Local Security Authority Subsystem Service (LSASS) process memory where Windows stores authentication credentials. Session keys remain in memory while users maintain active sessions with domain services.

Key Reuse

The attacker reuses a stolen session key along with other information like the user’s name to forge a new Kerberos authenticator. This forged authenticator includes the legitimate user’s principal name and a current timestamp to appear fresh and valid.

The attacker can generate multiple authenticators using the same session key as long as the key remains valid. Each authenticator can be used to access different services that trust the Kerberos authentication.

Impersonation

The forged authenticator is used to authenticate to other network services such as file shares, remote desktop, or database servers. The server, believing the request is authentic, grants access to the impersonated user’s resources.

This impersonation appears legitimate to security monitoring tools because it uses valid Kerberos authentication mechanisms. The attack leverages the trust relationship between domain services and the authentication infrastructure.

Lateral Movement

The attacker can use this access to move laterally through the network, accessing more resources and potentially dumping more credentials to expand their control. Each newly compromised system provides additional session keys and user credentials for further attacks.

Key Features and Components

Pass-the-Key attacks have distinct characteristics that differentiate them from other credential theft techniques.

Memory-Based Attack

The attack relies on stealing keys from a system’s volatile memory (RAM). Session keys exist in memory while users maintain active authentication sessions. This memory-based approach means the attack targets live, active credentials rather than stored password hashes.

Bypasses Password

Pass-the-Key is a post-compromise attack that bypasses the need for a password or password hash. Attackers don’t need to crack passwords or obtain password hashes from the Security Accounts Manager (SAM) database. The session key provides direct access to authenticated services.

Stealthy

Because the attacker is using valid session keys, their activity often appears as legitimate Kerberos authentication. Traditional security tools may not detect this activity since it follows standard authentication protocols. The attack generates minimal suspicious network traffic.

Kerberos-Specific

This attack specifically targets the Kerberos authentication process, unlike Pass-the-Hash attacks which target NTLM authentication. Organizations using Kerberos as their primary authentication protocol face this specific threat vector.

Breaking Up with Active Directory

Don’t let your directory hold you back. Learn why it’s time to break up with AD.

Read Now

Use Cases and Applications

Security professionals encounter Pass-the-Key attacks in several contexts within cybersecurity operations.

Post-Exploitation

Pass-the-Key serves as a powerful post-exploitation technique used by attackers to maintain persistence and move through a network after an initial breach. Advanced Persistent Threat (APT) groups commonly use this technique during the credential access phase of their attack chains.

The technique appears in the MITRE ATT&CK framework under Technique T1558.001 (Kerberoasting) and supports tactics including credential access, lateral movement, and persistence.

Penetration Testing

Ethical hackers use this method to demonstrate the risk of credential theft on a network. Red team exercises incorporate Pass-the-Key attacks to test an organization’s detection capabilities and incident response procedures.

Penetration testers use tools like Mimikatz, Rubeus, and Impacket to simulate these attacks in controlled environments. These tests help organizations understand their exposure to credential-based attacks.

Cyberattacks

Pass-the-Key is a well-known credential access technique used by attackers for lateral movement and privilege escalation in Active Directory environments. Threat actors use this technique to expand their access within compromised networks.

Real-world attack campaigns have demonstrated the effectiveness of Pass-the-Key techniques in maintaining persistent access to enterprise networks.

Advantages and Trade-offs

Understanding the attack from an adversary’s perspective helps security teams anticipate and defend against these techniques.

Advantages

• Stealthy: The attack is difficult to detect because it uses valid session keys and follows legitimate authentication protocols. Network monitoring tools may not flag the authentication attempts as suspicious.
• Effective: The technique grants attackers access to resources without knowing the user’s password. This effectiveness makes it valuable for lateral movement and privilege escalation activities.
• Versatile: Stolen session keys can authenticate to a wide range of services that use Kerberos authentication. This versatility provides attackers with broad access to network resources.

Trade-offs

• Requires Initial Access: The attacker must first gain privileged access to a machine to dump session keys from memory. This prerequisite limits the attack to post-compromise scenarios.
• Session Key Lifespan: Session keys have limited lifetimes, typically eight to ten hours by default. Attackers must act quickly before keys expire and become unusable.
• Detection Risk: Memory dumping activities can trigger security alerts from Endpoint Detection and Response (EDR) solutions and other monitoring tools.

Troubleshooting and Considerations

Security teams must implement comprehensive strategies to detect and prevent Pass-the-Key attacks.

Mitigation

• Endpoint Detection and Response (EDR): EDR solutions can detect the use of tools like Mimikatz to dump credentials from memory. These solutions monitor process behavior and memory access patterns to identify suspicious activities.
• Credential Guard: Microsoft’s Credential Guard isolates and hardens the memory where credentials and keys are stored. This feature uses virtualization-based security to protect credential material from memory dumping attacks.
• Least Privilege: Limiting local administrator rights for users reduces the ability of attackers to dump credentials from memory. Administrative access is required to access LSASS process memory where session keys are stored.
• Protected Users Group: Adding high-privilege accounts to the Protected Users security group prevents certain types of credential caching and reduces the exposure to credential theft attacks.

Considerations

• Monitoring: Security teams should monitor for anomalous behavior and signs of credential dumping. This includes monitoring for LSASS process access, unusual authentication patterns, and the use of credential dumping tools.
• Regular Audits: Regularly audit and remove stale credentials to reduce the attack surface. This includes cleaning up old computer accounts, service accounts, and user accounts that are no longer needed.
• Network Segmentation: Implementing network segmentation limits the impact of lateral movement attacks. Even if attackers obtain session keys, segmentation can prevent access to critical network resources.

Key Terms Appendix

• Kerberos Protocol: A network authentication protocol that uses tickets and symmetric key cryptography to provide secure authentication over non-secure networks.
• Session Key: A temporary, symmetric cryptographic key generated by the Key Distribution Center and used to secure communication between a client and a service.
• Pass-the-Hash (PtH): An attack technique that reuses NTLM password hashes to authenticate to services without knowing the plaintext password.
• Pass-the-Ticket (PtT): An attack technique that reuses stolen Kerberos tickets to authenticate to services without requiring passwords or session keys.
• Lateral Movement: The technique used by attackers to move through a network from one compromised system to another, typically to access additional resources or escalate privileges.
• LSASS: Local Security Authority Subsystem Service, a Windows process that handles authentication and stores credential material in memory.