← All glossary terms
Active Directory4 min read

What is Pass-the-Hash?

Pass-the-Hash (PtH) is an attack that lets an adversary authenticate using an NTLM password hash without knowing the plaintext password. Learn how it works and how to defend.

What is Pass-the-Hash?

Definition

Pass-the-Hash (PtH) is an attack technique in which an adversary authenticates to a remote system using a captured NTLM password hash — without ever needing the plaintext password.

It is MITRE ATT&CK T1550.002.

In simple terms:

In NTLM authentication, the hash is the password. Steal the hash and you don't need to crack anything.


Why Pass-the-Hash Matters

  • PtH has been the engine of many of the largest breaches of the last 15 years (NotPetya, multiple ransomware events).
  • Works wherever NTLM is allowed.
  • Endpoint controls often fail to detect it because the authentication looks legitimate.
  • Domain Admin credentials cached on workstations turn one phished laptop into domain compromise.

How Pass-the-Hash Works

1. Initial Compromise

Attacker gets local admin or SYSTEM on a Windows host (phishing, vulnerability, misconfig).

2. Hash Extraction

Attacker dumps NTLM hashes from:

  • LSASS memory (active sessions)
  • SAM / SECURITY hives (local accounts)
  • NTDS.dit (entire domain — usually after DCSync)
  • Cached credentials (DCC2 — these aren't directly usable for PtH but can be cracked offline)

Tools: Mimikatz, Impacket's secretsdump.py, ProcDump + parsers.

3. Reuse the Hash

With the hash, the attacker authenticates to other systems using NTLM. Tools (Mimikatz sekurlsa::pth, Impacket's psexec.py, wmiexec.py, smbexec.py) inject the hash into a session that then authenticates remotely.

4. Lateral Movement

Each compromised system yields more hashes from its LSASS memory, expanding reach until Domain Admin is found.

5. Domain Compromise

Domain Admin hash → DCSync → KRBTGT → Golden Ticket → persistence.


Real-World Examples

1. Local Admin Reuse Across the Fleet

The same local administrator password is set on every workstation (no LAPS). Compromise of one workstation yields the local admin hash, which works on every other workstation. Lateral movement is trivial.

2. Cached Domain Admin on a Helpdesk Jump Host

A Domain Admin RDPs to a help desk jump host to fix an issue. Their hash remains in LSASS. Later, the jump host is compromised (still trusted as low-privilege), and Pass-the-Hash to a DC follows.

3. NotPetya Spread

NotPetya combined Mimikatz-style credential dumping with PtH and PsExec/WMI-based remote execution to spread enterprise-wide in minutes after initial infection.

4. Ransomware Operator Playbook

After initial access, ransomware operators routinely:

  1. Privilege escalate locally.
  2. Dump LSASS.
  3. Pass-the-Hash to nearby systems.
  4. Repeat until Domain Admin.
  5. Push ransomware via GPO or PsExec.

Defense Against Pass-the-Hash

Eliminate Local Admin Reuse

  1. LAPS (Local Administrator Password Solution) — unique random local admin password per machine.
  2. Disable lateral SMB between workstations (SMB block on workstation firewalls).

Tiered Administration

  1. Tier 0 admins log in only to Tier 0 systems.
  2. Domain Admin never on Tier 1/2. Never.
  3. PAWs for Tier 0 work.
  4. Jump hosts with strict scoping.

Endpoint Hardening

  1. Credential Guard (Windows 10/11/Server) — protects LSASS secrets in a virtualized container.
  2. RestrictedAdmin mode for RDP — doesn't cache credentials on the target.
  3. Remote Credential Guard — keeps credentials on the source.
  4. Disable cached interactive logons on sensitive systems.
  5. EDR with credential dumping detections.

Restrict NTLM

  1. Disable NTLMv1 entirely.
  2. Restrict NTLM progressively forest-wide.
  3. Prefer Kerberos wherever possible.

Account Hardening

  1. Protected Users group — members can't use NTLM and can't have plaintext credentials cached.
  2. Mark sensitive accounts "Account is sensitive and cannot be delegated."
  3. Strong, unique passwords (passkeys / smart cards for admins).

Detection

  1. Detect PtH via Windows logon events with anomalous combinations (Logon Type 3, NTLM, source not domain controller, admin SID).
  2. EDR PtH detections.
  3. Honeypot local admin accounts that should never log in.

Pass-the-Hash Defense Checklist

  • LAPS deployed on every Windows endpoint?
  • Workstation-to-workstation SMB blocked?
  • Tiered administration enforced (no DA on Tier 1/2)?
  • Credential Guard enabled on supported systems?
  • RestrictedAdmin / Remote Credential Guard for RDP to admin sessions?
  • NTLMv1 disabled, NTLM restricted forest-wide?
  • Sensitive accounts in Protected Users group?
  • EDR with PtH detections?
  • Honeypot local admin in place?
  • Forest recovery plan accounting for PtH-driven ransomware?

How Forestall Helps

Forestall builds a graph of where credentials have been used and could be reused:

  • Identifies systems where Tier 0 credentials have been cached recently.
  • Maps lateral movement potential from each compromised endpoint.
  • Surfaces local admin password reuse and missing LAPS coverage.
  • Highlights NTLM-heavy systems and tiering violations.
  • Tracks reduction in PtH attack surface over time.

Frequently Asked Questions

Does MFA prevent Pass-the-Hash?

No — PtH happens after authentication and bypasses interactive challenges. MFA helps with initial access; PtH is a post-foothold technique.

Does Credential Guard fully stop PtH?

It significantly reduces hash exposure on protected hosts but doesn't replace tiered admin and LAPS.

Is PtH still relevant in cloud-first organizations?

For any environment with Windows endpoints and AD — yes. Cloud-only environments have analogous attacks (token theft, refresh token replay).

Will disabling NTLM break things?

Possibly — inventory first. Many environments restrict it tightly long before fully disabling.

How does LAPS specifically help?

It removes the single-password-everywhere dynamic. Each local admin hash works only on one machine, breaking enterprise-wide lateral movement.


Conclusion

Pass-the-Hash has been killing networks for two decades because the controls that stop it (LAPS, tiered admin, Credential Guard, NTLM restrictions, Protected Users) require effort across many systems and processes. The good news is that each of these controls compounds: LAPS alone can collapse most worm-style PtH scenarios; combined with tiered administration and Credential Guard, the technique becomes far less effective. Map your credential reuse paths, fix the choke points, and PtH stops being an enterprise-ending event.

Pass-the-HashNTLMLateral MovementMITRE ATT&CK

Cut the credential reuse paths attackers depend on.

Forestall maps the lateral paths Pass-the-Hash enables — and the choke points that close them.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Pass-the-Hash? Definition, Detection, and Defense | Forestall