eastbaycyber

What Is Pass the Hash?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Pass the Hash (often shortened to PtH) is an attack technique where an attacker uses a stolen password hash to authenticate without knowing the user’s actual plaintext password. Pass the Hash is most commonly associated with Windows environments, credential theft, and lateral movement after an attacker has already compromised at least one system.

For related background, it helps to understand what is lateral movement and what is credential dumping, since Pass the Hash usually appears as part of a larger post-compromise attack chain.

Pass the Hash definition

A password hash is a derived representation of a password used during authentication. In a Pass the Hash attack, the attacker does not need to crack that hash back into the original password. Instead, they reuse the hash itself when authenticating to another system that accepts it.

In simple terms, the attacker steals credential material and uses it directly.

How Pass the Hash works

To understand Pass the Hash, start with the core idea: some systems can accept a valid password hash as proof of identity during authentication. If an attacker obtains that hash from a compromised machine, they may be able to use it to access other systems as the same user.

A typical Pass the Hash attack path looks like this.

1. Initial compromise

The attacker first gains a foothold on a machine. That may happen through:

  • Phishing or malware
  • Exploitation of a vulnerable service
  • Stolen credentials
  • Remote access abuse
  • Use of a compromised admin account

Pass the Hash is usually not the initial intrusion method. It is more often a post-exploitation technique used after the attacker already has code execution or privileged access somewhere in the environment.

2. Credential material theft

Once on a system, the attacker looks for reusable authentication data. In Windows environments, that may include password hashes exposed through memory, cached credentials, or security subsystems.

The attacker is often looking for hashes tied to:

  • Local administrator accounts
  • Domain user accounts
  • Service accounts
  • Privileged administrative sessions that touched the host

This is one reason administrator workstations and shared admin jump points are high-value targets.

3. Reusing the hash for authentication

Instead of reversing the hash into the original password, the attacker supplies the hash itself to another system that accepts that credential material. If the authentication succeeds, the target system treats the attacker as the legitimate user.

That is the core advantage of Pass the Hash: the attacker does not need to know the password if the environment allows the hash to be reused.

4. Lateral movement

After authenticating to additional systems, the attacker expands access across the environment. Common objectives include:

  • Accessing file shares and administrative tools
  • Reaching servers with sensitive data
  • Moving toward domain controllers
  • Expanding privilege
  • Establishing persistence
  • Preparing for ransomware, espionage, or data theft

In real incidents, Pass the Hash is rarely the end goal. It is a way to turn one compromised host into many.

Why Pass the Hash is effective

Pass the Hash tends to work best in environments with weak credential hygiene or broad administrative access. Common conditions that increase risk include:

  • Reused local administrator credentials across endpoints
  • Broad admin privileges
  • Weak segmentation between workstations and servers
  • Legacy authentication dependencies
  • Privileged accounts logging into lower-trust systems
  • Limited visibility into authentication behavior

From the attacker’s perspective, it is efficient. They do not need to guess passwords if valid hashes are already available.

What defenders look for

Defenders often investigate for signs such as:

  • Unusual lateral authentication activity
  • Administrative access from unexpected hosts
  • Suspicious use of remote management tools
  • Logons that do not match normal account behavior
  • Repeated authentication from a single compromised workstation
  • Credential dumping or security process tampering earlier in the chain

One challenge is that the authentication may look legitimate because it uses real account material rather than a guessed password.

When you will encounter Pass the Hash

You are most likely to encounter Pass the Hash in discussions about Windows security, post-compromise activity, and lateral movement.

During incident response

If responders find that an attacker moved from one host to another using legitimate account access, Pass the Hash is one of the common techniques they will consider. It often appears in investigations involving domain compromise, ransomware staging, or privileged account abuse.

In Active Directory environments

Traditional Windows domain environments are the most common context for Pass the Hash discussions. The technique is especially relevant where NTLM-based authentication or similar credential reuse risks still exist.

During privilege access reviews

Security teams reviewing local admin account management, endpoint hardening, tiered administration, or credential exposure often run into Pass the Hash as a key reason to reduce privileged session sprawl.

In red team and purple team testing

Adversary simulation exercises may include Pass the Hash scenarios to validate whether defenses can detect credential dumping, unusual authentication, or lateral movement using valid account artifacts.

In ransomware and hands-on-keyboard intrusions

Pass the Hash is frequently mentioned in real-world intrusions where attackers gain an initial foothold, harvest credentials, and move laterally before deploying payloads or exfiltrating data.

For many SMBs, the exact term may not come up until a security assessment or incident. The underlying risk is still common: one exposed host can expose reusable credentials that help compromise spread.

How to reduce Pass the Hash risk

Reducing Pass the Hash risk means limiting credential exposure and making lateral movement harder.

Limit credential reuse

Avoid reusing local administrator passwords across systems. Unique local admin credentials greatly reduce the value of one stolen hash.

Restrict privileged logons

Do not let high-privilege accounts routinely log into lower-trust workstations. The fewer privileged sessions that touch ordinary endpoints, the fewer chances attackers have to capture valuable hashes.

Reduce NTLM exposure

Where possible, move away from legacy authentication dependencies and review where NTLM is still required. The less the environment depends on reusable credential material, the better.

Use least privilege and segmentation

Limit what accounts can access and separate administrative workflows from user workflows. This helps reduce the blast radius when one system is compromised.

Protect credentials with strong hygiene

Use unique, well-managed credentials and store them securely. A password manager like 1Password can help teams reduce password reuse and improve credential handling practices.

Strengthen endpoint defenses

Attackers often need to dump credentials from a compromised machine before attempting Pass the Hash. Endpoint protection such as Malwarebytes can help detect suspicious malware activity and reduce the chance of successful post-exploitation.

Bottom line

Pass the Hash is a credential abuse technique that lets attackers authenticate with a stolen hash instead of the real password. It is dangerous because it can turn one compromised system into a launch point for broader access, especially in Windows environments with weak credential hygiene, reused admin access, or legacy authentication exposure.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.