What is a Pass-the-Hash Attack (PtH)?

What is a Pass-the-Hash Attack (PtH)

Pass-the-Hash PtH Definition

Pass-the-Hash attacks use stolen hashed user credentials to gain entry to devices and spread across networks. This technique bypasses security measures like two-factor authentication and password reset requirements by enabling an adversary to impersonate a legitimate account without knowing its actual password, only its hash value stored as stored on servers and domain controllers.

PtH attacks typically employ compromised computers to exploit NTLM authentication protocol to obtain hashes for target accounts and then create authenticated sessions on that system. Once an attacker gains access to these sessions, they can further exploit them to further compromise systems or gain access to data or resources that will benefit from being stolen by an attack.

With tools such as Mimikatz, CrackMapExec, Empire and PsExec at their disposal, cybercriminals can extract NTLM hashes from active memory to expand their access to networks. By monitoring event logs for suspicious activity quickly and responding accordingly, organizations can quickly detect and address this threat.

PtH attacks typically begin after initial system compromise through phishing campaigns, exploiting remote endpoints or malware infections on hosts. Therefore, your organization’s incident response plan must include backup and recovery capabilities in order to quickly restore systems if they become compromised; additionally, run regular vulnerability scans to identify and patch vulnerabilities that attackers could exploit in its infrastructure.

What is a password hash?

Password hashing is an one-way mathematical function that converts user passwords to fixed length strings of characters that cannot be reverse-engineered, making it impossible to reconstruct them as original passwords are never stored plain text.

When using a privileged account to login into an organization’s network, its system stores only the password hash rather than recording what was entered as actual alphanumeric characters. If cybercriminals gain access and compromise this device, they could capture this hash even remotely and use it for authentication without ever needing to know the actual IT administrator password.

Attackers use this tactic to move laterally across compromised networks without the fear of detection or exposure, making Zero Trust Network Access crucial in safeguarding privileged accounts, creating strong password policies with minimum length, complexity requirements, and two-factor authentication requirements. Correlating login and credential-use events and recognizing anomalous activity are also key in detecting such attacks; employing best practices such as these in a comprehensive security architecture can significantly decrease risks related to pass-the-hash attacks or any other malicious behavior.

Why pass the hash attacks a growing?

Damage from a pass the hash attack depends on the level of privileges of compromised credentials (the stolen hashes). If an attacker gains access to hashed passwords for an administrator account, they could gain entry to essential files and systems across your network such as line of business applications, file servers, and domain controllers.

Once they gain access to hashed passwords, threat actors can leverage that information to authenticate themselves on target systems and launch attacks laterally across networks in search of further credentials that could escalate user permissions in order to gain entry to domain controllers or other high-level accounts.

This type of attack is particularly risky because it’s hard to detect. Since NTLM doesn’t preserve entropy, attacks using it may go undetected by traditional signature-based detection systems; however, when security measures such as two-factor authentication or password resets are in place these types of attacks may be detected earlier and prevented altogether. One effective strategy to minimize risks associated with this attack would be implementing strong authentication protocols as well as strong password policies which require long, complex passwords containing uppercase and lowercase letters, numbers, symbols etc.

How does a pass the hash attack work?

Underpass the hash attacks involve attackers stealing encrypted or hashed passwords from compromised systems and using these stolen hashes to create a new authenticated session on the network, enabling lateral movements between devices and accounts while extracting information or credentials from them. As they continue these lateral moves they eventually escalate their privileges and gain access to more critical systems like network administrator accounts.

To launch a pass the hash attack, threat actors first need to gain entry to your organization’s network through methods such as phishing campaigns, exploiting vulnerable IT assets or malware infection. Once in, they use various tools and techniques to monitor active memory for hashes or data they can exploit – usually hash values or hashes which may contain exploitable code or data.

By monitoring NTLM authentications on workstations and servers, organizations can detect anomalous patterns that allow adversaries to exploit this attack vector. Furthermore, attack path management techniques should be employed in order to limit lateral movement; such as segregating domain controllers from servers requiring domain administrator membership in order to prevent their exploitation by attackers.

How to protect against Pass-the-Hash attacks?

In order to protect against Pass-the-Hash attacks, it’s crucial that attackers cannot gain entry to your network privileged accounts. You can do this by segregating network privileged access and employing various layers of security protections that detect anomalous behavior and threats before they affect critical IT assets and accounts.

Cybercriminals often gain initial access to systems through phishing attacks or by exploiting vulnerable public IT assets, before using malware to penetrate network endpoints and servers. Once they gain entry, attackers often move laterally between devices and accounts in order to obtain information, credentials and potentially escalate user privileges.

Pass-the-Hash attacks can be effectively countered through multifactor authentication (MFA), strong password policies and using security tools designed specifically to combat these types of attacks. Falcon Identity Protection also offers assistance by automatically initiating MFA flow when it detects threats like an attacker attempting to lift password hashes from a Local Security Authority Subsystem Service process – something which might signal that a PtH attack may be underway.

1. Zero Trust Network Access ZTNA

Attackers can leverage the pass the hash technique by using stolen hashed credentials to log into other systems on a network and compromise critical information and services. Once compromised, an attacker can spoof an authenticated session on that same network to access vital resources and further damage can be inflicted through lateral movement across devices and accounts.

One form of this attack exploits the NTLM authentication protocol. NTLM employs a challenge-response system to verify user identities without asking for their password, meaning an adversary who gains a hash can use this to gain entry to other workstations and domain controllers.

Organizations looking to reduce the impact of pass the hash attacks should implement a defense-in-depth strategy with zero trust networking capabilities, like Falcon Identity Protection. Zero Trust networking enables businesses to secure applications while keeping network visibility to a minimum, protecting data while mitigating security risk. Furthermore, users should implement user least privilege policies which prevent local administrator accounts from being misused by outsiders, and utilize User Entity Behavior Analytics solutions like Falcon Identity Protection which detect unusual logon activity and suspicious processes touching Local Security Authority Subsystem Service (LSASS), making steps one of several steps taken against pass the hash attacks.

2. Managed Detection and Response MDR

Pass-the-Hash attacks pose a growing threat for organizations. But protecting against these attacks doesn’t need to be complicated: with UEBA an attacker can be detected before their attack is fully launched.

Pass-the-Hash attacks occur when an attacker exploits stolen hashed user credentials to deceive an authentication system and create new authenticated sessions without first cracking their passwords. Sometimes this technique doesn’t even require physical theft from victims to work successfully.

This type of attack typically targets Windows systems utilizing NTLM authentication protocols; however, they could also target other operating systems and authentication mechanisms.

As soon as an attacker obtains usable password hashes, they can gain full system access and leverage it for lateral movement within the network. They can move freely from device to device and account by hopping between accounts in search of more hashes – eventually increasing their credentials until reaching domain controller administrator roles.

Organizations can protect themselves from these attacks by monitoring user and network activity for suspicious or malicious behavior, such as logins on unusable endpoints that correlate to Malware like Mimikatz or remote software programs such as Remote File Unlock (RFU). Falcon Identity Protection can detect these events and implement multi-factor authentication flows on compromised endpoints in order to stop attackers from doing further damage.

3. Password Management

Pass-the-Hash attacks can affect almost any operating system and authentication protocol, but are most prevalent on Windows due to single sign-on (SSO), where passwords are hashed instead of stored as plain text on machines when users log on – making these hashes vulnerable for attack.

After breaching a low-level workstation using phishing, malware or another means, attackers use stolen hashed credentials to establish an authenticated session on the network and start their “lateral movement.” They hop between devices and accounts in an effort to increase their user permissions so as to access critical systems like those controlled by system administrator accounts.

To minimize this type of attack, organizations should restrict privileged account access on all machines using a Privileged Access Management Solution and change passwords frequently for these accounts. Furthermore, SIEM monitoring for event IDs 10, 4624, and 4672 should detect such attacks.

Pass-the-Hash Attack Steps

Pass-the-Hash attacks are a highly effective method for attackers looking to gain entry to privileged accounts. With this attack technique, they can scour devices and accounts in search of more usable hashes while moving from device to device and account to account.

Organizations can protect themselves from this threat by employing multi-factor authentication and employing correlation rules, alerts, and incident workflow to detect suspicious logon activity and respond accordingly.

1. Infiltration

Hackers employ pass the hash attacks as lateral movement techniques to gather additional credentials after breaching a device or user account. Once adversaries obtain password hashes for multiple accounts, they can then gain access to privileged systems and resources across a network by impersonating those users and using captured hashes as credentials to access those systems and resources as themselves.

One reason it is essential to understand all of the lateral movement attacks attackers have available to them and identify them is so you can take steps to protect your organization from them, including implementing strong authentication controls, segregating privileged and non-privileged accounts and auditing logon activity to detect suspicious behavior.

Pass the hash attacks are typically deployed against Windows systems using the NTLM authentication protocol; however, they may also be employed against other operating systems and authentication protocols in some instances. Once attackers obtain hashed credentials for an authorized account, they can use them to gain entry to other resources within your organization such as servers, applications or any other privileged resources on its network.

2. Extraction

Pass-the-hash attacks are one of the more subtle techniques cybercriminals utilize to gain entry into critical systems. Once inside a network, threat actors use stolen password hashes to establish authenticated sessions on it before searching lateral movements for higher level credentials.

Once an attacker gains control of a compromised computer or server, they can collect all NTLM hashes used by each account logged onto it. These hashes serve to identify users on the system and can be found in LSASS process memory, Windows Page Files, Credential Manager and SAM registry hives.

Once an attacker has collected all the password hashes, they can begin creating authenticated sessions on the network while impersonating a privileged user to perform activities like network exploitation and privilege escalation. To protect themselves against this kind of attack, organizations should implement stringent security policies as well as multi-factor authentication on accounts with administrator privileges as well as an incident response plan in place that quickly detects and remediates such attacks.

3. Advancement

Since the 1990s, adversaries have employed password hashes as a method of accessing systems and networks – known as Pass-the-Hash (PtH). PtH attacks have often been utilized against compromised Windows systems but can also be applied against any OS supporting Single Sign On SSO – Linux computers included.

Once a user logs onto a system, their username and password hash are stored either in memory or file systems so the machine re-uses their login credentials even after they log off or reboot, giving malware, attackers or good employees time to use Fred’s one-way hash function to roam around freely within their network.

PtH attacks can be detected using programs such as Sysmon and IPS tools, and mitigated through best practices such as creating separate Domain Admin accounts so IT administrators can login without access to privileged networks for daily tasks, and by enforcing complex and changing password policies more frequently on those accounts. Other techniques include monitoring workstation logs for suspicious activity detection as well as activating granular alerts in IPS tools to provide a holistic view of security.

Examples of Pass-the-Hash Attacks

Pass-the-Hash attacks are an evolving cyber attack strategy which allows criminals to move laterally across a network after stealing an hashed user credential, infiltrating devices and accounts by moving laterally and extracting additional information and credentials that allow them to build profiles that enable them to target higher level systems and obtain domain administrator rights more quickly. Such movements are typically accomplished using malware or remote software programs.

Pass the Hash attacks are used to exploit implementation vulnerabilities in authentication protocols. They allow attackers to authenticate themselves into servers or services by using an NTLM (LanMan) hash of their victim’s password, providing access. This attack works against any server or service accepting NTLM authentication.

Defense against pass the hash attacks requires taking a multilayered approach to security. Audit logon activity, manage attack paths and monitor them closely, detect suspicious behavior promptly and respond. Multi-factor authentication technology offers one such layered defense mechanism against pass the hash attacks that ensures only authorized users gain access to sensitive data or systems.


Pass-the-hash attacks pose an imminent cyber security threat and have been responsible for several high-profile cyberattacks in recent years. For example, attackers employed this attack technique to gain entry to 22 million current and former federal employees at OPM during a massive breach at their system; similarly they utilized it to gain entry to Target systems where they took millions of customers’ credit/debit card data without permission.

Password cracking is one of the primary methods of protecting organizations against this form of attack, but hackers continue to devise ways around existing cybersecurity measures, so organizations need to employ multiple layers of defenses and implement multiple techniques to keep their data and networks safe from attack.

Organizations can monitor workstation logs to detect pass-the-hash attacks in progress, which typically involves looking out for activity like NTLM hash dumping, privilege escalation and lateral movement. Furthermore, penetration testing (commonly known as pen testing or ethical hacking) should also be carried out to simulate real world attacks and identify vulnerabilities within their systems.

Sam is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.