Inferensys

Glossary

Pass-the-Hash (PtH)

A lateral movement technique where an attacker captures a hashed user credential and reuses it to authenticate to a remote server or service without needing the plaintext password.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
LATERAL MOVEMENT TECHNIQUE

What is Pass-the-Hash (PtH)?

A credential theft and reuse attack that bypasses the need for plaintext passwords by exploiting the underlying authentication protocols of Windows systems.

Pass-the-Hash (PtH) is a lateral movement technique where an attacker captures a hashed user credential and reuses it to authenticate to a remote server or service without needing the plaintext password. This attack exploits the single sign-on (SSO) mechanisms in the NTLM authentication protocol, allowing an adversary to impersonate a valid user by presenting the stolen hash directly during the challenge-response sequence.

The attack typically begins with extracting hashes from a compromised system's Security Account Manager (SAM) database, Local Security Authority Subsystem Service (LSASS) process memory, or the NTDS.dit file on a domain controller. Mitigations include enforcing Credential Guard, implementing Microsoft Local Administrator Password Solution (LAPS), and adopting a Zero Trust Architecture that continuously validates every access request regardless of its apparent origin.

LATERAL MOVEMENT MECHANICS

Core Characteristics of Pass-the-Hash Attacks

Pass-the-Hash (PtH) is a credential theft and reuse technique that exploits the NTLM authentication protocol. Instead of cracking a password, the attacker captures the stored hash and reuses it to authenticate to remote services, enabling lateral movement without ever knowing the plaintext secret.

01

NTLM Authentication Exploitation

PtH attacks target the NT LAN Manager (NTLM) challenge-response protocol. The core vulnerability is that NTLM authenticates a user by proving knowledge of the password hash, not the password itself. The system never verifies that the authenticating entity is the original user who created the hash. This allows an attacker to present a stolen LM hash or NT hash directly to a remote service's NtLmAuthenticate function, bypassing the need for plaintext credentials entirely.

02

Credential Acquisition Vectors

Attackers must first obtain the hash, typically through local privilege escalation. Common extraction methods include:

  • LSASS Memory Dumping: Using tools like Mimikatz to extract hashes from the Local Security Authority Subsystem Service process.
  • SAM Database Extraction: Reading the Security Account Manager registry hive (C:\Windows\System32\config\SAM) offline.
  • NTDS.dit Extraction: Compromising a Domain Controller to dump the Active Directory database containing every domain user's hash.
  • Credential Dumping Tools: Leveraging built-in utilities like secretsdump.py from Impacket.
03

Lateral Movement Execution

Once a hash is captured, the attacker uses it to impersonate the user across the network. This is executed via tools that modify the authentication process:

  • Mimikatz: The sekurlsa::pth command injects the stolen hash into a new process, launching a command prompt that runs in the victim's security context.
  • Impacket Suite: Python tools like psexec.py and wmiexec.py accept an -hashes flag, allowing remote code execution on a target server using only the LM:NT hash pair.
  • PowerShell Remoting: Using Invoke-Command with explicit credentials derived from the hash to execute scripts on remote machines.
04

Overpass-the-Hash Evolution

A direct evolution of PtH, Overpass-the-Hash converts the stolen NTLM hash into a full Kerberos Ticket Granting Ticket (TGT). This is achieved by using the hash to request a TGT from the Domain Controller's Key Distribution Center (KDC). The resulting Kerberos ticket provides access to any service the victim is authorized for, without triggering NTLM-specific detection rules. This technique is often executed via Mimikatz's sekurlsa::pth command combined with a klist purge and a new service access request.

05

Detection Blind Spots

PtH attacks are notoriously difficult to distinguish from legitimate authentication because they use valid, unmodified credentials. Standard event logs show a successful Event ID 4624 (Logon Type 3) with the correct username and domain. Key detection differentiators include:

  • Logon Type Mismatch: A user authenticating from a workstation they have never physically logged into.
  • NTLM Usage Anomalies: A sudden spike in NTLM authentication for a user who typically uses Kerberos.
  • Missing Pre-authentication: The absence of a Kerberos TGT request (Event ID 4768) preceding the NTLM logon.
06

Mitigation and Defense-in-Depth

Effective mitigation requires breaking the attack chain at multiple points:

  • Credential Guard: Enables Virtualization-Based Security (VBS) to isolate LSASS in a protected virtual container, preventing hash extraction even with kernel-level access.
  • Restricted Admin Mode: Forces authentication via Kerberos and prevents the caching of plaintext credentials or reusable hashes on remote targets.
  • Local Administrator Password Solution (LAPS): Ensures every workstation has a unique, randomized local administrator password, preventing lateral movement using a shared local account hash.
  • Protected Users Security Group: A domain group that forces Kerberos-only authentication, disables NTLM, and prevents credential caching for its members.
PASS-THE-HASH SECURITY

Frequently Asked Questions

Clear, technical answers to the most common questions about Pass-the-Hash attacks, their mechanisms, and the architectural defenses required to stop lateral movement in modern enterprise and agentic systems.

A Pass-the-Hash (PtH) attack is a lateral movement technique where an attacker extracts a cryptographically hashed user credential from a compromised system's memory and reuses it to authenticate to a remote server or service without ever knowing the plaintext password. The attack exploits the single sign-on (SSO) nature of the NTLM authentication protocol in Windows environments. Instead of cracking the hash, the attacker simply presents the captured NT hash directly during the challenge-response handshake. The remote system validates the hash against its local Security Account Manager (SAM) database or domain controller, granting access because the underlying protocol verifies the hash, not the password. This allows an adversary to move from an initially compromised low-privilege endpoint to critical servers, domain controllers, and database systems, escalating their foothold into a full domain compromise.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.