What is Pass-the-Hash?

Pass-the-Hash Mechanics

When Windows authenticates users, it does not store plaintext passwords — it stores NTLM hashes of passwords. During authentication, Windows sends the hash rather than the plaintext password to authenticate to network resources. Pass-the-Hash attacks steal these hashes from memory or from credential stores and use them directly for authentication, without needing to crack or know the underlying password.

NTLM hashes are extracted from LSASS (Local Security Authority Subsystem Service) memory using tools like Mimikatz, which has become ubiquitous in ransomware and nation-state operations because it provides reliable credential extraction from compromised Windows systems. Once a hash is extracted, it can be used to authenticate to any system that accepts NTLM authentication and where the account has access — enabling lateral movement across the network without the underlying password ever being cracked.

Defense Against Pass-the-Hash

Credential Guard is a Windows security feature that uses hardware-based virtualization to protect LSASS memory from extraction tools like Mimikatz. Credential Guard prevents the most common hash extraction technique when properly configured on supported hardware. Protected Users security group membership prevents accounts in the group from using NTLM authentication, requiring Kerberos, which is not vulnerable to classic Pass-the-Hash. Network segmentation limits what systems a compromised hash can reach. Local Administrator Password Solution — LAPS — ensures that local administrator accounts have unique, randomly generated passwords on each system, preventing a single compromised local admin hash from enabling lateral movement to every system in the environment.

Pass-the-Hash Defense Strategies

Disable NTLM Where Possible

NTLM is the protocol that pass-the-hash exploits. Microsoft has deprecated NTLM in favor of Kerberos for over a decade, but NTLM remains enabled by default in most environments for backward compatibility. Auditing NTLM usage and progressively disabling it in environments where it is not required eliminates the protocol-level attack surface.

Credential Guard

Microsoft Credential Guard is a Windows 10/11 feature that uses virtualization-based security to isolate NTLM hashes from access by malicious code, even with administrator privileges. Enabling Credential Guard on Windows 10/11 workstations is one of the most effective endpoint controls against pass-the-hash attacks.

Tiered Administration

The structural defense against pass-the-hash is preventing privileged credentials from being used on lower-tier systems where credential theft is most likely. Tier 0 (domain controllers, certificate authorities) administrative accounts should only authenticate on Tier 0 systems. Tier 1 (server) admin accounts should only authenticate on Tier 1 systems. Tier 2 (workstation) accounts should only authenticate on workstations. This prevents an attacker who compromises a workstation from harvesting credentials with broader privilege.

Related Reading

• Active Directory Security — the environment Pass-the-Hash exploits
• Kerberoasting — the Kerberos-specific cousin attack
• Privileged Access Management (PAM) — the structural defense against credential-reuse attacks

Real-World Example: Mimikatz and Pass-the-Hash in Every Major Ransomware Campaign

Mimikatz, the open-source credential extraction tool that enables Pass-the-Hash, appears in virtually every publicly documented enterprise ransomware investigation. The tool is so ubiquitous that its detection signature is a high-confidence indicator of active ransomware staging. The 2021 Colonial Pipeline attack, the 2021 Kaseya VSA attack, and dozens of other major incidents all involved Mimikatz-based credential extraction followed by Pass-the-Hash lateral movement to spread ransomware across the victim environment.