PtH
Pass-the-Hash (PtH) is a credential theft attack where an attacker captures the hashed version of a password from memory (without cracking it) and uses the hash directly to authenticate to other systems — exploiting how Windows NTLM authentication works.
⚙️ How Does It Work?
Attackers use tools like Mimikatz to extract NTLM hashes from Windows memory (LSASS process). These hashes are then used with modified authentication tools to authenticate as the victim user without knowing the actual plaintext password.
📍 Where Is It Used?
Windows Active Directory environments — particularly effective for lateral movement after initial compromise.
💡 Real-World Example
An attacker compromises a developer's laptop and extracts the local admin NTLM hash using Mimikatz. Since the company uses the same local admin password across all workstations (no PAM), the attacker uses the hash to authenticate to 500 other machines — achieving lateral movement across the entire network.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →