eastbaycyber

What is pass-the-hash? A Practitioner's Definition

Threat digests 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-07-03

TL;DR - Pass-the-hash lets an attacker authenticate with a stolen password hash instead of the plaintext password. - It most often appears in Windows environments during lateral movement after an initial host compromise. - Defend with credential hygiene, NTLM reduction, admin tiering, and tight monitoring of remote admin activity.

Definition

Pass-the-hash, often shortened to PtH, is a post-compromise attack technique where an attacker uses a captured password hash to authenticate to another system without cracking the password first. In practice, it is most associated with NTLM authentication in Windows environments and is commonly used for lateral movement.

How it works

Pass-the-hash matters because many systems do not need the original password if they can present a valid authentication secret derived from it. If an attacker can extract that secret from memory, disk, a credential store, or a previous compromise, they may be able to impersonate the user across the network.

A typical attack chain looks like this:

  1. Initial access
    The attacker lands on one endpoint through phishing, malware, exposed remote access, or another compromise.

  2. Privilege escalation or local admin access
    To collect useful credentials, the attacker often needs elevated rights on the compromised machine.

  3. Hash extraction
    The attacker pulls NTLM password hashes or other reusable authentication material from sources such as: - LSASS memory - the local Security Account Manager (SAM) - cached credentials - domain controller databases in larger compromises

  4. Remote authentication using the hash
    Instead of cracking the password, the attacker uses tools that inject or replay the hash directly when connecting to: - SMB shares - remote service management interfaces - WMI - WinRM in some scenarios - PsExec-style remote execution paths

  5. Lateral movement and privilege expansion
    If the stolen account has local admin rights on multiple systems, the attacker can move quickly across the environment.

The key point: the hash effectively becomes the credential if the environment still accepts that authentication path.

Technical Notes

In Windows environments, defenders often see PtH in workflows that touch SMB, RPC, WMI, or service creation. Attackers may use legitimate admin mechanisms after authenticating with stolen material.

Examples of commands and telemetry that can appear during remote administration activity include:

wmic /node:HOSTNAME process call create "cmd.exe /c whoami > C:\Windows\Temp\whoami.txt"
sc.exe \\HOSTNAME create Updater binPath= "cmd.exe /c net user"
net use \\HOSTNAME\ADMIN$ /user:DOMAIN\username

Useful Windows Security Event IDs to review during investigations include:

4624  Successful logon
4625  Failed logon
4648  Logon attempted using explicit credentials
4672  Special privileges assigned to new logon
4688  Process creation
5140  Network share accessed
7045  A new service was installed

Logon events that show Logon Type 3 (network logon) combined with administrative share access, remote service creation, or unusual east-west authentication patterns can be strong investigation leads.

When you’ll encounter it

You will usually encounter pass-the-hash in one of four situations:

1. During incident response

PtH is a standard lateral movement technique in Windows intrusions. If you are investigating ransomware, hands-on-keyboard activity, or domain-wide compromise, you should consider it early.

Common signs include: - one admin account authenticating to many hosts in a short time - remote execution from a workstation that does not normally administer servers - SMB or RPC activity between peer systems with no business reason - bursts of logons followed by service installation or scheduled task creation

2. In environments with legacy NTLM usage

If your network still relies heavily on NTLM, especially for older systems or workflows, PtH risk is higher. Attackers prefer environments where hashes remain broadly reusable.

3. Where local administrator passwords are reused

If multiple endpoints share the same local admin password, a single compromised host can become the launch point for many others. This is one of the most practical and damaging PtH scenarios in small and midsize environments.

4. During security hardening projects

Administrators encounter the term while working on: - disabling or reducing NTLM - deploying LAPS or Windows LAPS - hardening LSASS protections - implementing privileged access workstations - segmenting admin roles and access paths

How to defend against it

The best PtH defenses reduce three things: credential exposure, credential reuse, and lateral movement paths.

Limit reusable credentials on endpoints

Do not let high-privilege accounts log on to ordinary workstations unless absolutely necessary. The more places admin credentials appear, the more places attackers can steal them.

Priorities: - separate workstation admin and server admin accounts - avoid using domain admin for routine tasks - use privileged access workstations for sensitive administration - restrict who can log on locally, via RDP, and via network access

Eliminate local admin password reuse

Deploy Windows LAPS or Microsoft LAPS so each machine has a unique local administrator password.

Why this matters: - a hash stolen from one endpoint will not automatically work on others - lateral movement from local admin reuse becomes much harder

Reduce or phase out NTLM where possible

Kerberos is generally more resistant to classic PtH abuse than NTLM-based workflows. Many organizations cannot disable NTLM everywhere immediately, but they can reduce it.

Practical steps: - inventory NTLM dependencies - enable NTLM auditing first - disable NTLM on systems that do not require it - review applications and devices still forcing NTLM

Protect credential material in memory

Enable security features that make credential dumping harder.

Examples: - LSASS protection where supported - Microsoft Defender Credential Guard where feasible - EDR rules for credential dumping behavior - attack surface reduction rules for common abuse paths

Technical Notes

Defenders can validate hardening settings with native commands and policy checks.

Check for LSA protection indicators:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL

Review local administrator group membership:

net localgroup Administrators

Enumerate recent NTLM operational events where enabled:

Get-WinEvent -LogName "Microsoft-Windows-NTLM/Operational" -MaxEvents 50

Review whether a host is seeing remote admin share access:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140} -MaxEvents 100

Monitor the right behaviors

Do not rely on a single “PtH alert.” Focus on behavior chains: - suspicious credential access on one host - followed by network logons to many systems - followed by remote execution artifacts

Good detections often combine: - LSASS access or dumping attempts - explicit credential use - lateral SMB/RPC connections - service creation or remote process launches - unusual use of admin shares such as ADMIN$ or C$

NTLM hash

A password-derived value used in NTLM authentication. In PtH, this hash is the reusable secret the attacker presents.

Lateral movement

The process of moving from one compromised system to others inside the same environment.

Credential dumping

Techniques used to extract passwords, hashes, tickets, or tokens from a system.

Pass-the-ticket

A related Kerberos abuse technique where an attacker reuses a stolen Kerberos ticket instead of a password hash.

Overpass-the-hash

A hybrid technique where an attacker uses NTLM-derived material to obtain Kerberos authentication, often to move into Kerberos-based access paths.

LSASS

The Windows Local Security Authority Subsystem Service, a common target for credential theft because it can hold valuable authentication material in memory.

Bottom line

Pass-the-hash is not just a password problem. It is a credential exposure and lateral movement problem. If attackers can steal a reusable hash and your environment accepts it across multiple systems, one compromised machine can quickly become many.

For most teams, the highest-value defenses are straightforward: unique local admin passwords, reduced NTLM reliance, limited admin logons, and strong monitoring for remote admin abuse.

For more information on related topics, check out our articles on what is a zero-day exploit and what is CVSS.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-03

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.