What is Pass-the-Hash?
Pass-the-hash (PtH) is an attack technique that allows an attacker to authenticate to a remote system using the password hash, without the need for the password in plain text.
It is particularly effective in Windows environments, where the NTLM authentication protocol allows authentication using static hashes.
How the attack works
- Initial access
The attacker gains access to a machine (e.g. phishing, local exploit).
- Credential dumps
With elevated privileges, the attacker extracts NTLM hashes with tools such as Mimikatz: lsadump::sam, sekurlsa::logonpasswords, Metasploit: hashdump module, samdump2: SAM and SYSTEM dump via PowerShell
- Authentication using hash
The attacker authenticates to other hosts on the network using psexec.py, wmiexec.py (Impacket), mimikatz sekurlsa::p th, pth-winexe, pth-smbclient, etc.
No plaintext password is needed, only the NTLM hash.
Defense Techniques
| Mitigation | Protection |
| Prefer Kerberos to NTLM | NTLM is outdated and vulnerable to PtH. Configure the AD domain to use only Kerberos wherever possible. Set GPO to force Send NTLMv2 response only. |
| Enable LSA Protection | It protects processes such as lsass.exe against memory reads. |
| Enable Credential Guard | Isolate credentials in a secure environment via virtualization. Requires Windows 10/11 Enterprise or Server 2016+, Hyper-V enabled, UEFI firmware |
| LAPS (Local Administrator Password Solution) | It generates unique random passwords for each local admin account and stores them in AD. Prevents the same hash from being reused across multiple PCs. |
| Least privilege and segmentation | Use different accounts for day-to-day and administrative tasks. Segregation between network users and critical servers. Apply the principle of least privilege everywhere. |
| Monitoring and Logging | Use a SIEM to detect lsass.exe logins, suspicious logons (Event ID 4624, 4648, 4672), use of remote tools (psexec, wmic), NTLM instead of Kerberos (Event ID 4776, 4768, 4771) |
| Antivirus e EDR | Use Microsoft Defender for Endpoint |
| Hardening powershell | Disable PowerShell remoting if not necessary, Use AppLocker to block unsigned executions. Restrict tools like PsExec, WMIC, etc. |
Impact of Pass-the-Hash Mitigations in Production
Because yes, it’s nice to say “turn on Credential Guard,” but in a company with 500 PCs, help desks, legacy users, and older applications… It’s never that simple
| Mitigation | Benefits | Impact / Compatibility | Real Environments |
| Credential Guard | Isolates hashes, blocks many PtH attacks | Incompatible with some legacy software, smart cards, RDP shadowing | Requires testing in environments with VPN, helpdesk tools, or hardware management agents |
| LSA Protection (RunAsPPL) | Prevents credential dumping via LSASS access | May cause issues with backup/monitoring/AV tools that hook LSASS | Can break third-party software that reads memory; test on critical systems before enabling |
| Disable NTLM | Prevents authentication using hashes | High risk of breaking apps relying on NTLM | Should start with audit-only mode in GPO before enforcing; ensure all services support Kerberos |
| LAPS (Local Admin PW Solution) | Unique local admin passwords per machine | Easy to deploy in modern AD environments | IT teams must update internal scripts/tools to retrieve passwords securely |
| Account Tiering / No DA login on workstations | Minimizes credential theft risk | No functional impact if well planned | Requires user/admin training and organizational discipline; aligns with Zero Trust practices |
| Restricted Admin Mode (RDP) | Prevents credential leakage over RDP | Breaks access to network resources during RDP sessions | Best suited for emergency admin access or jump boxes, not for daily use |
| AppLocker / SRP | Blocks unauthorized tools like Mimikatz | Can disrupt scripts, unsigned apps, old software | Must be tested thoroughly before deployment; works best with inventory of legitimate binaries |
| EDR + ASR (Defender) | Detects & blocks credential dumping | Low impact if properly configured | Needs tuning to avoid false positives; works well in tandem with other hardening strategies |
A realistic approach to a production environment could therefore include the following actions:
- Do an NTLM audit
- Turn on LAPS
- Enable LSA Protection on Recent Hosts
- Avoid Domain Admin logins outside the Domain Controller
- Do Pilot Testing of Credential Guard
- EDR and Defender ASR Tuning
Final Thoughts
Pass-the-Hash is one of the most common post-exploitation attacks in Windows environments, but it can be effectively countered with a combination of:
- Technical protections (LSA, Credential Guard)
- Good administrative practices (LAPS, minimum privileges)
- Visibility (logging and continuous monitoring)
It is not only a technical problem, but also an organizational one: we need a culture of security, and a network designed to withstand even partial compromises.
La sicurezza in produzione è sempre un bilanciamento. Meglio una rete sicura al 90% ma funzionante, che un hardening perfetto che blocca gli utenti.Safety in production is always a balance.
Better a network that is 90% secure but working, than perfect hardening that blocks users.
Mitigations against PtH are very powerful, but they must be adopted in phases, with tests, and above all with internal training (IT, users, dev).
Marco Nasta' Blog 