What is Pass-the-Hash?

Pass-the-Hash Mechanics

When Windows authenticates users, it does not store plaintext passwords — it stores NTLM hashes of passwords. During authentication, Windows sends the hash rather than the plaintext password to authenticate to network resources. Pass-the-Hash attacks steal these hashes from memory or from credential stores and use them directly for authentication, without needing to crack or know the underlying password.

NTLM hashes are extracted from LSASS (Local Security Authority Subsystem Service) memory using tools like Mimikatz, which has become ubiquitous in ransomware and nation-state operations because it provides reliable credential extraction from compromised Windows systems. Once a hash is extracted, it can be used to authenticate to any system that accepts NTLM authentication and where the account has access — enabling lateral movement across the network without the underlying password ever being cracked.

Defense Against Pass-the-Hash

Credential Guard is a Windows security feature that uses hardware-based virtualization to protect LSASS memory from extraction tools like Mimikatz. Credential Guard prevents the most common hash extraction technique when properly configured on supported hardware. Protected Users security group membership prevents accounts in the group from using NTLM authentication, requiring Kerberos, which is not vulnerable to classic Pass-the-Hash. Network segmentation limits what systems a compromised hash can reach. Local Administrator Password Solution — LAPS — ensures that local administrator accounts have unique, randomly generated passwords on each system, preventing a single compromised local admin hash from enabling lateral movement to every system in the environment.

Pass-the-Hash in Context

Pass-the-Hash is one technique in a broader family of credential theft and reuse attacks. Pass-the-Ticket uses Kerberos tickets rather than NTLM hashes. Overpass-the-Hash converts NTLM hashes into Kerberos tickets. Golden Ticket attacks forge Kerberos tickets using the KRBTGT hash. Understanding this family of techniques is essential for evaluating whether Active Directory hardening measures address the full credential attack surface or only the most visible techniques.

Real-World Example: Mimikatz and Pass-the-Hash in Every Major Ransomware Campaign

Mimikatz, the open-source credential extraction tool that enables Pass-the-Hash, appears in virtually every publicly documented enterprise ransomware investigation. The tool is so ubiquitous that its detection signature is a high-confidence indicator of active ransomware staging. The 2021 Colonial Pipeline attack, the 2021 Kaseya VSA attack, and dozens of other major incidents all involved Mimikatz-based credential extraction followed by Pass-the-Hash lateral movement to spread ransomware across the victim environment.