Pass-the-hash attacks have been around since the 1990s. The mechanics are simple. Windows authenticates to remote services by sending hashes rather than plaintext passwords, which means an attacker who recovers the hash can authenticate as the user without ever knowing the underlying password. Twenty plus years later, pass-the-hash is still one of the most reliable lateral movement techniques in routine use, because the defensive measures against it require operational discipline that many organisations have not yet achieved.
The Source Of Hashes Has Multiplied
Originally pass-the-hash relied on extracting hashes from the local SAM database. Modern attackers have many more options. LSASS process memory, the credential manager, kerberos ticket caches, ntds.dit on the domain controller and cached credentials on workstations all provide reusable material. Defending against each of these surfaces individually is necessary but not sufficient. The hashes that matter most are domain administrator hashes, and the discipline of never logging on with those credentials outside hardened hosts remains the single most effective control. A focused internal network pen testing engagement should map the locations where privileged credentials have been used and the hosts that hold residual material.
Credential Guard Helps But Has Gaps
Windows Credential Guard isolates the secrets that LSASS would otherwise hold in process memory. On supported hosts, with the right configuration, this removes a significant chunk of the attack surface. The catch is that Credential Guard does not protect every credential, does not protect every authentication path and does not retroactively clean up hashes that were stored before it was enabled. Treat it as a useful floor rather than a complete solution.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The mistake most teams make with pass-the-hash is treating it as a workstation problem. The real damage happens when administrative credentials get used on workstations and the hashes propagate up the chain. Tiered administration models, where the highest privilege accounts only authenticate to hardened jump hosts, address the root cause.
Defender For Identity Adds A Useful Lens
Microsoft Defender for Identity, formerly Azure Advanced Threat Protection, monitors authentication patterns directly at the domain controller level and surfaces a range of Active Directory abuse patterns that traditional SIEM rules struggle to catch. The product is not perfect, but it provides a useful lens on directory abuse that complements your existing tooling. Combine it with sensible playbooks for triaging the alerts. Worth tuning the alerting carefully because the default profiles produce a meaningful volume of noise. The team that triages the alerts needs to trust them. Untuned alerting from any single product becomes background noise that nobody investigates seriously.
Detection Lives In The Authentication Logs
Successful authentication using NTLM from an account that normally uses kerberos. Authentication patterns that move rapidly between unrelated hosts. Logons from workstations to other workstations using local administrator credentials. Each of these patterns is suspicious in isolation, and many are easy to detect if the logs are being collected and analysed. Combine logging with a vulnerability scan services approach that includes hash extraction during the test and you build a defensible position.
Pass-the-hash is old. It is also still effective. The defensive answer is mature operational practice, not a single product. Pass-the-hash is decades old and still effective because the defences require operational discipline rather than just product purchases. Network security has changed considerably over the last decade and the principles that survived the change tend to be the ones worth investing in. The fundamentals remain valuable even as the implementation details evolve around them.
Diarmuid