Pass-the-hash attacks explained: mechanism, mitigation, and defense-in-depth

Pass the hash (PtH) isn't a new trick, but it remains one of the most persistent ways attackers move laterally through a network. Once a single computer is compromised, a PtH attack allows an intruder to move from one workstation to another, harvesting credentials and escalating privileges until they’ve effectively taken all the important keys. It’s a design flaw that’s been around as long as NTLM (NT LAN Manager), and frankly, it’s still working because modern enterprise environments can be messy.

In this article, we’re going to look at the actual mechanics of how these attacks play out. We’ll cover why simple password rotations aren't an answer, how to build a defense strategy that actually holds up, and what signs you should be watching to catch an attacker before they make it to your domain controller.

What is pass the hash?

In simple terms, a pass-the-hash attack is a technique where an intruder captures a hashed user credential and uses it to create a new authenticated session on the same network.

The genius—and the danger—of the pass-the-hash method is that it completely bypasses the need for a plaintext password. In a standard login, you provide a password, and the system hashes it to see if it matches the stored version. In a pass-the-hash technique, the attacker just hands over the hash itself to the authentication service. Since the system treats the hash as proof of identity, it grants access without ever asking for the actual password.

This turns a single compromised workstation into a launchpad for IT and security teams. Because many enterprise systems use NTLM authentication, these identity-based attacks are particularly effective at helping an intruder move laterally. Once attackers gain access to a local admin account, they can scrape the memory (usually via the LSASS process) to find hashes for other users who have logged in to that machine. From there, they "pass" those hashes to other servers or workstations, potentially landing on a high-value target like a domain controller.

How pass the hash works

A pass-the-hash attack is about impersonation. The attacker doesn’t care what your password is—they only care about the mathematical "thumbprint" your computer uses to prove you are who you say you are.

Why the hash is "good enough"

When you create a password, Windows doesn't store the actual text. Instead, it runs it through an algorithm to create a password hash—a fixed-string representation of that password.

In a perfect world, this hash is a one-way street: you can get a hash from a password, but you can’t turn a hash back into a password. However, for authentication systems like NTLM, the hash itself is often good enough to prove identity. For an attacker, that hash is the key.

The initial foothold

A pass-the-hash attack doesn't happen in a vacuum. The attacker needs a way into your network first, usually through a phishing link or an unpatched vulnerability.

Once they’re in, their first goal is to escalate to local administrator privileges. Why? Because password hashes are stored in protected areas of the system, like the Security Accounts Manager (SAM) database or the memory space of the Local Security Authority Subsystem Service (LSASS). To reach into that memory and scrape the hashes, you need the highest level of local access.

The lateral move

This is where the pass-the-hash technique turns a local nuisance into a company-wide crisis. Armed with a stolen NTLM hash, the attacker doesn't try to log in to the machine they’re already on. Instead, they "pass" that hash to a remote server or another workstation on the network.

Because the remote system accepts the hash as valid proof of identity, it opens the door. The attacker can then jump from machine to machine, looking for a "whale"—a domain admin who logged in to a workstation once and left their hash behind in memory.

The protocol weakness

The primary culprit here is NTLM. While Microsoft has pushed Kerberos as the default for years, NTLM remains active in almost every enterprise environment for legacy compatibility.

NTLM is inherently vulnerable to pass the hash because it relies on a challenge-response mechanism that doesn't require the plaintext password. It’s a stateless flaw: as long as the hash remains the same, the attacker can use it indefinitely to authenticate until that user finally changes their password.

Enterprise-level mitigation strategies

Effective pass-the-hash attack mitigation relies on breaking the chain of lateral movement. If you can isolate credentials and limit where they can be used, a compromised workstation remains an isolated incident rather than a network-wide breach.

Implement the principle of least privilege

The math is simple: if a user doesn't have local admin rights, an attacker can't easily scrape the LSASS process for hashes. By stripping away unnecessary administrative privileges across the board, you remove the initial foothold required for a pass-the-hash technique to succeed. Users should only have the permissions necessary for their specific role—no more, no less.

Credential protection and isolation

Modern Windows environments offer tools like Windows Defender Credential Guard. This uses virtualization-based security to isolate secrets so that only privileged system software can access them. Even if an attacker gains local admin rights, Credential Guard keeps the NTLM hashes and Kerberos tickets in a protected container that's off-limits to unauthorized processes.

Limit/restrict authentication protocols

The most effective way to stop a pass-the-hash attack is to eliminate NTLM where you don't need it. Moving toward Kerberos-only environments or using "Restrict NTLM" group policies reduces the attack surface. If your legacy apps absolutely require NTLM, make sure you're at least using NTLMv2, which offers better (though not perfect) protection than its predecessors.

Local Administrator Password Solution (LAPS)

One of the biggest gifts to an attacker is "credential overlap"—using the same local admin password across every workstation in the fleet. Microsoft’s LAPS automates the management of local admin passwords, making them unique to each machine and storing them in Active Directory. This guarantees that a hash stolen from Workstation A is useless on Workstation B.

Administrative tiering

You should never use a Domain Admin account to log in to a standard workstation. Administrative tiering creates logical boundaries: Tier 0 for domain controllers and identity servers, Tier 1 for application servers, and Tier 2 for workstations. By enforcing a rule where credentials from a higher tier are never used on a lower-tier machine, you ensure that an attacker can never "climb the ladder" by harvesting high-value hashes from common endpoints.

What to monitor to prevent pass-the-hash attacks?

To catch an attacker moving laterally, your monitoring needs to move from looking for "bad files" to looking for "bad behavior." Here is the shortlist of what your SOC or IT team should be watching:

• Identify anomalies in login patterns. Look for "impossible travel" (an account logging in from two different subnets simultaneously) or a sudden surge in NTLM authentications from a single workstation to multiple servers in a short window.

• Track lateral movement. Watch for Event ID 4624 (Successful Logon) where the Logon Type is 3 (Network) and the authentication package is NTLM, especially if it involves administrative accounts moving from workstation to workstation.

• Watch for unusual services. Attackers often use tools like PsExec to execute commands remotely after passing a hash. Monitor for the creation of new, unexpected services on remote systems—this is usually the first clear indicator of an active attack.

• Use EDR and ITDR solutions. While EDR monitors processes like LSASS for memory scraping, ITDR adds a layer of identity-specific intelligence. It can flag when a credential is being used in a way that doesn't match the user’s historical profile.

• Monitor NTLM authentication events. Specifically, look for NTLM logons that aren't preceded by an interactive logon. In a normal workflow, a user logs in locally before accessing network shares. If you see a network login without a local one, it might be a passed hash.

• Audit active directory. Regularly check for unauthorized changes to sensitive groups (like Domain Admins). If a new account suddenly gains high-level privileges, it’s a sign that an attacker has already moved past the "pass the hash" phase and is digging in for the long term.

Bottom line

The persistence of pass-the-hash attacks is a reminder that a password isn't always the finish line—for an attacker, it’s just one piece of the digital puzzle. Because this technique exploits the very way legacy protocols like NTLM function, the fix is a structural shift in how you handle and isolate company credentials.

By layering defenses like administrative tiering, moving toward Kerberos, and restricting NTLM, you turn a potentially network-wide crisis into an isolated, manageable incident.

How NordPass Business cuts the risk

We built NordPass Business to help IT teams stay on top of company credentials without the usual hassle. Here’s how it helps stop lateral movement:

• SSO and MFA integration. Move away from legacy logins. By integrating with providers like Entra ID or Okta, you reduce the reliance on local NTLM authentications, while mandatory MFA acts as a hard stop if a hash is ever compromised.

• Centralized policy control. Use the Admin Panel to enforce strict Password Policies across the organization. If you can eliminate weak and reused passwords, you’ve already won half the battle against lateral movement.

• Total visibility. Our Activity Log provides a clear audit trail. When you can see who is accessing what in real-time, spotting the anomalous patterns of a pass-the-hash attempt becomes much easier.

• Zero-knowledge security. With XChaCha20 encryption, your data is scrambled before it ever leaves the device. We can't see your keys, and neither can an intruder scraping your cloud storage.