Threats
T1550.002Pass-the-Hash
How Pass-the-Hash exploits NTLM authentication to let attackers authenticate as any user with just the hash — no password cracking needed. Detection with Event IDs, KQL/SPL queries, and defense strategies for SOC analysts.
View on Graph
What Pass-the-Hash Is and Why It Works
- Pass-the-Hash (PtH) is a credential theft and lateral movement technique where an attacker authenticates to a remote system using the NTLM hash of a user’s password instead of the plaintext password.
- MITRE ATT&CK maps this to
T1550.002(Use Alternate Authentication Material: Pass the Hash). - The technique exploits a fundamental design property of NTLM authentication: the protocol never transmits the plaintext password. The client proves possession of the password by encrypting a server-sent challenge with the NTLM hash. Since the hash itself is the authenticating material, possessing the hash is functionally equivalent to possessing the password.
How PtH Works — The Protocol Attack
Normal NTLM Authentication
Client Server
| |
| --- Authentication Request ------> |
| |
| <--- Challenge (16-byte random) --- |
| |
| --- Challenge encrypted with |
| NTLM hash of password --------> |
| |
| Server encrypts the same challenge |
| with the stored NTLM hash --------- |
| (both must match) |Pass-the-Hash Attack
Attacker (has harvested NTLM hash) Target Server
| |
| --- Authentication Request ------> |
| |
| <--- Challenge ------------------- |
| |
| --- Challenge encrypted with |
| **harvested** NTLM hash ------> |
| |
| Match succeeds — attacker is |
| authenticated as the victim user |Key insight: The attacker never needs the plaintext password. They only need the NTLM hash, which they can obtain from:
- LSASS memory dump (Mimikatz
sekurlsa::logonpasswords) - SAM registry hive (
lsadump::sam) - DCSync attack (
lsadump::dcsync) - Credential theft tools (Invoke-Mimikatz, Rubeus, SharpKatz)
PtH Event IDs — What to Monitor
Primary Detection: Event ID 4624 (Successful Logon)
When PtH occurs, the logon event on the target system shows specific characteristics:
| Logon Type | Description | PtH Indicator |
|---|---|---|
| 3 | Network logon (most common for PtH) | Authentication from a different workstation than the user normally uses |
| 10 | Remote Interactive (RDP — less common for PtH) | User logging in via RDP from a workstation they don’t normally use |
SPL query — detect PtH via logon type 3 from anomalous source (a critical insider threat indicator):
index=windows sourcetype=WinEventLog:Security EventCode=4624 LogonType=3
| search AccountName!="SYSTEM" AccountName!="ANONYMOUS LOGON" AccountName!="*$"
| iplocation IpAddress
| stats count, values(WorkstationName) as Workstations, values(Computer) as Servers, values(City) as Cities by AccountName, LogonGuid
| where mvcount(Workstations) > 1 OR mvcount(Cities) > 1
| eval alert = "POTENTIAL PtH — " . AccountName . " authenticated via network logon from multiple workstations"
| table _time, AccountName, Workstations, Servers, count, alertSecondary Detection: Event ID 4776 (NTLM Authentication)
This event records every NTLM authentication attempt against a server and includes the workstation name:
SPL query — detect NTLM auth from unusual workstation:
index=windows sourcetype=WinEventLog:Security EventCode=4776
| search Status="0x0"
| stats count, values(Workstation) as Workstations by LogonAccount
| where mvcount(Workstations) > 3
| eval alert = "NTLM AUTH — " . LogonAccount . " authenticated from " . mvjoin(Workstations, ", ") . " — possible PtH lateral movement"
| table _time, LogonAccount, Workstations, count, alertTertiary Detection: Event ID 4648 (Explicit Credential Use)
When a tool like wmic.exe, psexec.exe, or Invoke-WmiMethod is used with explicit credentials, Event 4648 fires with the target server and account:
SPL query — detect explicit credential use to remote systems:
index=windows sourcetype=WinEventLog:Security EventCode=4648
| search SubjectUserSid!="S-1-5-18" (not SYSTEM)
| stats count, values(TargetServer) as Servers, values(SubjectUserName) as Users by ProcessName, TargetUserName
| where mvcount(Servers) > 2
| eval alert = "EXPLICIT CRED USE — " . TargetUserName . " used from " . mvjoin(Users, ", ") . " via " . ProcessName . " to " . mvjoin(Servers, ", ") . " — lateral movement"
| table _time, TargetUserName, Users, ProcessName, Servers, count, alertLogon Type Reference for PtH Detection
| Logon Type | Name | Typical Use | PtH Relevance |
|---|---|---|---|
| 2 | Interactive | Local console or keyboard | Rare in PtH — attacker would need RDP |
| 3 | Network | SMB, file share, WMI, WinRM, PsExec | Most common — primary PtH detection target |
| 8 | NetworkCleartext | IIS, SQL server | Possible with credential theft tools |
| 9 | NewCredentials | RunAs with /netonly | Seen with tools that use explicit credentials |
| 10 | RemoteInteractive | RDP | Possible if attacker uses PtH+during RDP |
Tools That Use Pass-the-Hash
| Tool | Command | Technique |
|---|---|---|
| Mimikatz | sekurlsa::pth /user:admin /domain:corp /ntlm:HASH | Injects the hash into a new logon session — also used in Golden Ticket attacks |
| Impacket (wmiexec.py) | wmiexec.py corp/admin@target -hashes LMHASH:NTHASH | Uses PtH over WMI for remote execution |
| Impacket (smbexec.py) | smbexec.py corp/admin@target -hashes LMHASH:NTHASH | Uses PtH over SMB for remote execution |
| Impacket (psexec.py) | psexec.py corp/admin@target -hashes LMHASH:NTHASH | Uses PtH over SMB with service creation |
| CrackMapExec | cme smb target -u admin -H NTHASH | Multi-host PtH testing |
| Cobalt Strike | jump psexec target smb HASH | PtH via SMB beacon |
| Metasploit | `exploit/windows/ | |
| smb/psexec` | PtH via SMB with SMBPass set to hash — relevant across on-prem and cloud environments |
SPL query — detect Impacket-style PtH tools:
index=windows sourcetype=WinEventLog:Security EventCode=4624 LogonType=3
| search AuthenticationPackageName="NTLM"
| stats count by WorkstationName, AccountName, TargetUserName, IpAddress
| where WorkstationName="-" (Impacket tools often leave workstation name blank)
| eval alert = "POTENTIAL IMPACKET PtH — blank workstation name for " . AccountName . " from " . IpAddress
| table _time, AccountName, IpAddress, TargetUserName, count, alertPtH Triage — Investigation Workflow
Step 1: Confirm PtH vs. Normal Usage
| Finding | Likelihood |
|---|---|
| User Account A logs into Server B from Workstation C — this is their normal pattern | Normal — no investigation needed |
| User Account A logs into Server B from Workstation D (a different user’s machine) | Suspect PtH — investigate |
| User Account A logs into Server B from an unknown computer name | High confidence PtH |
| User Account A logs into 5 servers from 5 different workstations in 2 minutes | CRITICAL — automated PtH lateral movement |
Step 2: Determine the Source of the Hash
| If Attacker Used | Check These Event IDs |
|---|---|
| LSASS memory access | Sysmon Event 10 — non-LSASS process accessing lsass.exe |
| DCSync | Event 4662 — Directory Service access with DS-Replication-Get-Changes |
| SAM hive | Event 4656/4663 — registry access to SAM hive |
| Mimikatz | Event 4688 — command line with sekurlsa::logonpasswords or lsadump::* |
Step 3: Scope the Lateral Movement
Identify the initial compromised host
│
├─ Check Event 4624 — where did the authentication originate?
│ Look for Network logon type 3 events with the compromised account
│
├─ Check Event 4776 — all NTLM authentication attempts
│ Map every server the account authenticated to
│
├─ Check Event 4648 — explicit credential usage
│ Shows which tools were used to execute the PtH
│
└─ Check Sysmon Event 3 — network connections from the compromised host
Map all outbound connections to discover additional compromised systems and [C2 infrastructure](/threats/command-and-control)Step 4: Contain
- Disable the compromised account — stop further PtH attempts
- Isolate the compromised host — prevent additional hash extraction
- Reset the compromised account’s password — the hash changes immediately
- Rotate all service account passwords that the compromised account had access to
- Assume all servers accessed during the PtH window are compromised — investigate each
Prevention
| Control | What It Stops | Implementation |
|---|---|---|
| Credential Guard | LSASS memory access — prevents hash extraction | Enable via GPO: Virtualization Based Security |
| Restricted Admin Mode (RDP) | PtH over RDP | New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name DisableRestrictedAdmin -Value 0 |
| Kerberos-only authentication | NTLM-based PtH won’t work | Disable NTLM via GPO: Network security: Restrict NTLM |
| LAPS | Local admin password rotation | LAPS rotates local admin passwords regularly |
| Privileged Access Workstations (PAW) | Admin credentials never appear on standard workstations | Tier 0/1/2 separation model |
| Just-in-Time (JIT) admin access | Reduces exposure window for admin credentials | PIM/PAM solutions (Azure AD PIM, CyberArk) |
| Network segmentation | Limits blast radius — attacker cannot reach domain controllers from user workstations | Microsegmentation, VLANs, firewall rules |
Related
- Kerberoasting — detection and response for T1558.003 techniques
- Active Directory Basics — covers the active directory basics concepts
- Credential Theft Incident Response — detection and response for T1558.001, T1003.001, T1134 techniques
- Mimikatz — detection and response for T1003 techniques