Lateral movement: Pass the hash attack

  • Home
  • Lateral movement: Pass the hash attack

Pass-the-hash is a technique by which the attacker gets hold of the NTLM or LanMan hash of a user's password instead of the plain text password and authenticate with it. This technique, highly prevalent on Windows systems, is one of the successful lateral movement techniques.

However, if user's password has been changed, then the stolen hash cannot be used. Hence best security practices insist upon changing passwords once in every 45 or 60 days.

How does pass-the-hash attack happen?

In Windows, the password hashes are stored in Security Accounts Manager (SAM), Local Security Authority Subsystem (LSASS) process memory and a Ntds.dit database in the Active Directory. Attackers steal the hashes from any of these places using below techniques:

  • With physical access to the system, they can boot the system drive into a different OS and copy SAM file
  • Harvest password hashes by running hash-dumping tools through by establishing remote connection
  • Sniff out password hashes using malicious programs as they traverse the newtork during authentication process

Some of the hash-dumping tools that are frequently used include mimikatz, iam.exe, genhash.exe and more. pwdump.exe is a windows program that can be exploited to obtain the password hashes .

How Pass the Hash attack works?

  • Step 1: Attackers get into the network through a phishing campaign. Upon getting hold of a system, malicious tools stated above is installed to harvest the password hashes from the local systems.

  • Step 2: Lateral movement - Using the harvested user account and password hashes, the attackers authenticate to other systems and resources to which the account has access .

Pass-the-hash attacks are more damaging when the compromised user account has been enabled with Single-Sign-On (SSO) option for many business apps.

How can you detect Pass the Hash attack:

Pass the Hash attacks can be detected by analyzing your logs and detect logon anomalies.

To detect Pass the Hash attack in your network, you should configure your security tool to detect the below criteria:

Source Host

Event ID: 4624 An account was successfully logged on

Logon type : 9

Authentication package : Negotiate

Logon process: seclogo

Sysmon event ID: 10

Target Host

Event ID: 4768 A Kerberos authentication ticket (TGT) was requested

Event ID: 4769 A Kerberos service ticket was requested

How to minimize the impact of Pass the Hash attack?

  • When you've enabled SSO, make sure that you also implement multi factor authentication to safeguard the day. By this way, even if the credential is compromised, the attacker will be unable to access the data.
  • Implement principle of least privilege (POLP) by creating separate Domain admin and standard accounts for day-to-day work.
  • Enforce password changes frequently.

ManageEngine Log360, a comprehensive SIEM solution can help you detect these attacks with its powerful correlation engine, real-time event response system, and log forensic analysis capabilities. The solution quickly detects the indicators of compromise associated with the pass-the-hash attack. It further enriches the detection by correlating other relevant events and thereby accurately alerts you when this attack occurs. And that's not all. Log360 comes bundled with threat intelligence platform, user and entity behavior analytics, and a lot more.Explore the solution now

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


Cyber Security - Knowledge Base


  Zoho Corporation Pvt. Ltd. All rights reserved.