300-220 Dumps With Exact Questions and Answers

Thepass-the-hash (PtH)technique is classified underCredential Accessin the MITRE ATT&CK framework. Specifically, it aligns with theCredential Access tactic (TA0006)and the techniqueUse Alternate Authentication Material (T1550), sub-techniquePass the Hash (T1550.002). This classification is based on the attacker’s primary objective: abusing stolen credential material—in this case, NTLM password hashes—to authenticate to systems without knowing the actual plaintext password.

From a professional cybersecurity and threat hunting perspective, PtH exploits weaknesses in how Windows authentication mechanisms handle credential storage and reuse. When users authenticate to a system, password hashes may be cached in memory or stored in places such as LSASS (Local Security Authority Subsystem Service). If an attacker gains administrative or SYSTEM-level access to a host, they can extract these hashes and reuse them to authenticate to other systems across the environment.

Although pass-the-hash isoften observed during lateral movement, MITRE intentionally classifies it underCredential Accessbecause the defining action is thetheft and misuse of credential material, not the movement itself. Lateral movement is a downstream outcome enabled by the stolen credentials, but the core technique is about accessing and abusing authentication secrets.

This distinction is important for threat hunters and detection engineers. When hunting for PtH activity, defenders focus on indicators such as abnormal NTLM authentication events, logons using NTLM where Kerberos is expected, reuse of the same hash across multiple systems, and suspicious access to LSASS memory. Endpoint telemetry, Windows Security Event Logs (e.g., Event IDs 4624 and 4672), and EDR memory access alerts are commonly used data sources.

Understanding PtH as acredential access techniquehelps security teams prioritize protections such as credential guard, LSASS hardening, disabling NTLM where possible, enforcing least privilege, and monitoring authentication anomalies. This classification also reinforces a core professional principle:identity is the new perimeter, and protecting credential material is foundational to modern threat hunting and defense.

The correct answer isit reveals operational discipline and intent. Attribution relies heavily on understandinghow attackers think and operate, not just the tools they use.

Operational discipline—such as careful reconnaissance, avoiding noisy exploitation, and operating during business hours—is ahuman behavioral pattern. These patterns are far more stable than infrastructure or malware and often correlate strongly with specific threat actor groups.

Option A and D focus on tooling, which changes frequently. Option B relates to persistence, not attribution.

Threat intelligence professionals use operational characteristics to distinguish between opportunistic criminals and advanced adversaries. Business-hour activity, careful lateral movement, and deliberate escalation often indicatetargeted intrusions, espionage, or financially motivated but sophisticated actors.

This information helps analysts align observed behavior with known threat actor profiles, improving attribution confidence. Thus, optionCis correct.

The correct answer isendpoint process execution and memory access events. During thedata collection and processing phase, the goal is to gatherhigh-fidelity telemetrythat supports hypothesis validation.

Credential harvesting often occurswithout dropping malwareand instead relies on:

Memory scraping

LSASS access

Credential dumping tools

In-memory execution

Cisco Secure Endpoint provides deep visibility into:

Process creation and parent-child relationships

Memory access attempts

Privilege abuse

Fileless execution

Option A provides enrichment but not raw behavioral evidence. Option C supports context but does not replace endpoint telemetry. Option D is reactive and unreliable for structured hunts.

Within theCBRTHD threat hunting lifecycle, this phase emphasizesevidence over indicators. Without endpoint execution and memory telemetry, hunters cannot reliably confirm credential access techniques.

This aligns withMITRE ATT&CK Credential Accesstactics and Cisco’s emphasis onendpoint behavioral analytics.

Thus,Option Bis the correct answer.