Pass-the-Hash (PtH) is a lateral movement technique where an attacker captures a hashed user credential and reuses it to authenticate to a remote server or service without needing the plaintext password. This attack exploits the single sign-on (SSO) mechanisms in the NTLM authentication protocol, allowing an adversary to impersonate a valid user by presenting the stolen hash directly during the challenge-response sequence.
Glossary
Pass-the-Hash (PtH)

What is Pass-the-Hash (PtH)?
A credential theft and reuse attack that bypasses the need for plaintext passwords by exploiting the underlying authentication protocols of Windows systems.
The attack typically begins with extracting hashes from a compromised system's Security Account Manager (SAM) database, Local Security Authority Subsystem Service (LSASS) process memory, or the NTDS.dit file on a domain controller. Mitigations include enforcing Credential Guard, implementing Microsoft Local Administrator Password Solution (LAPS), and adopting a Zero Trust Architecture that continuously validates every access request regardless of its apparent origin.
Core Characteristics of Pass-the-Hash Attacks
Pass-the-Hash (PtH) is a credential theft and reuse technique that exploits the NTLM authentication protocol. Instead of cracking a password, the attacker captures the stored hash and reuses it to authenticate to remote services, enabling lateral movement without ever knowing the plaintext secret.
NTLM Authentication Exploitation
PtH attacks target the NT LAN Manager (NTLM) challenge-response protocol. The core vulnerability is that NTLM authenticates a user by proving knowledge of the password hash, not the password itself. The system never verifies that the authenticating entity is the original user who created the hash. This allows an attacker to present a stolen LM hash or NT hash directly to a remote service's NtLmAuthenticate function, bypassing the need for plaintext credentials entirely.
Credential Acquisition Vectors
Attackers must first obtain the hash, typically through local privilege escalation. Common extraction methods include:
- LSASS Memory Dumping: Using tools like Mimikatz to extract hashes from the Local Security Authority Subsystem Service process.
- SAM Database Extraction: Reading the Security Account Manager registry hive (
C:\Windows\System32\config\SAM) offline. - NTDS.dit Extraction: Compromising a Domain Controller to dump the Active Directory database containing every domain user's hash.
- Credential Dumping Tools: Leveraging built-in utilities like
secretsdump.pyfrom Impacket.
Lateral Movement Execution
Once a hash is captured, the attacker uses it to impersonate the user across the network. This is executed via tools that modify the authentication process:
- Mimikatz: The
sekurlsa::pthcommand injects the stolen hash into a new process, launching a command prompt that runs in the victim's security context. - Impacket Suite: Python tools like
psexec.pyandwmiexec.pyaccept an-hashesflag, allowing remote code execution on a target server using only theLM:NThash pair. - PowerShell Remoting: Using
Invoke-Commandwith explicit credentials derived from the hash to execute scripts on remote machines.
Overpass-the-Hash Evolution
A direct evolution of PtH, Overpass-the-Hash converts the stolen NTLM hash into a full Kerberos Ticket Granting Ticket (TGT). This is achieved by using the hash to request a TGT from the Domain Controller's Key Distribution Center (KDC). The resulting Kerberos ticket provides access to any service the victim is authorized for, without triggering NTLM-specific detection rules. This technique is often executed via Mimikatz's sekurlsa::pth command combined with a klist purge and a new service access request.
Detection Blind Spots
PtH attacks are notoriously difficult to distinguish from legitimate authentication because they use valid, unmodified credentials. Standard event logs show a successful Event ID 4624 (Logon Type 3) with the correct username and domain. Key detection differentiators include:
- Logon Type Mismatch: A user authenticating from a workstation they have never physically logged into.
- NTLM Usage Anomalies: A sudden spike in NTLM authentication for a user who typically uses Kerberos.
- Missing Pre-authentication: The absence of a Kerberos TGT request (Event ID 4768) preceding the NTLM logon.
Mitigation and Defense-in-Depth
Effective mitigation requires breaking the attack chain at multiple points:
- Credential Guard: Enables Virtualization-Based Security (VBS) to isolate LSASS in a protected virtual container, preventing hash extraction even with kernel-level access.
- Restricted Admin Mode: Forces authentication via Kerberos and prevents the caching of plaintext credentials or reusable hashes on remote targets.
- Local Administrator Password Solution (LAPS): Ensures every workstation has a unique, randomized local administrator password, preventing lateral movement using a shared local account hash.
- Protected Users Security Group: A domain group that forces Kerberos-only authentication, disables NTLM, and prevents credential caching for its members.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about Pass-the-Hash attacks, their mechanisms, and the architectural defenses required to stop lateral movement in modern enterprise and agentic systems.
A Pass-the-Hash (PtH) attack is a lateral movement technique where an attacker extracts a cryptographically hashed user credential from a compromised system's memory and reuses it to authenticate to a remote server or service without ever knowing the plaintext password. The attack exploits the single sign-on (SSO) nature of the NTLM authentication protocol in Windows environments. Instead of cracking the hash, the attacker simply presents the captured NT hash directly during the challenge-response handshake. The remote system validates the hash against its local Security Account Manager (SAM) database or domain controller, granting access because the underlying protocol verifies the hash, not the password. This allows an adversary to move from an initially compromised low-privilege endpoint to critical servers, domain controllers, and database systems, escalating their foothold into a full domain compromise.
Related Terms
Pass-the-Hash is part of a broader family of credential theft and replay attacks. Understanding adjacent techniques is critical for building defense-in-depth strategies against lateral movement.
Token Impersonation
A Windows privilege escalation technique where an attacker leverages the SeImpersonatePrivilege to assume the security context of another logged-on user.
- Commonly exploited via tools like Juicy Potato or PrintSpoofer
- Allows a service account (e.g., LOCAL SERVICE) to escalate to SYSTEM
- Distinct from PtH: it steals an active token rather than replaying a static hash
- Mitigated by restricting the impersonation privilege to only accounts that absolutely require it
Credential Guard
A Virtualization-Based Security (VBS) feature in Windows that isolates the Local Security Authority (LSA) process in a protected virtualized container.
- Prevents attackers from extracting NTLM hashes and Kerberos tickets from memory
- Uses Hyper-V to create an isolated execution environment invisible to the host OS
- Effectively neuters Pass-the-Hash and Mimikatz-style credential dumping
- Requires hardware virtualization support (Intel VT-x or AMD-V)
Overpass-the-Hash
An evolution of Pass-the-Hash where an attacker uses a stolen NTLM hash to request a full Kerberos Ticket Granting Ticket (TGT).
- Converts NTLM-based access into a Kerberos ticket for broader authentication
- Enables access to services that require Kerberos and reject NTLM
- Also known as Pass-the-Key when using AES keys instead of NTLM hashes
- Detected by monitoring for TGT requests without corresponding pre-authentication events
Golden Ticket Attack
A persistence technique where an attacker compromises the KRBTGT account hash in Active Directory to forge arbitrary Kerberos TGTs.
- Grants unlimited domain access with arbitrary privileges and expiration
- Persists even after user password resets
- Requires Domain Admin-level access to extract the KRBTGT hash
- Mitigated by regularly resetting the KRBTGT password (twice to invalidate all existing tickets)
Silver Ticket Attack
A targeted Kerberos attack where an attacker forges a Ticket Granting Service (TGS) ticket using the NTLM hash of a specific service account.
- Provides access to a single service rather than the entire domain
- Does not require Domain Admin privileges or KRBTGT compromise
- Harder to detect than Golden Tickets because TGS requests are common
- Mitigated by enforcing PAC validation and monitoring for anomalous service ticket requests

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us