Pass-the-Hash (PTH) and Pass-the-Ticket (PTT) are lateral movement techniques that allow an attacker to authenticate as a user without ever knowing their plaintext password. By reusing captured authentication material — either an NTLM hash or a Kerberos ticket — attackers can pivot across an entire Active Directory environment once they have compromised a single host. These techniques are the backbone of modern ransomware deployment operations and nation-state lateral movement campaigns alike.
How NTLM Authentication Works (and Why It's Exploitable)
NTLM authentication uses a challenge-response mechanism. When a client authenticates to a server, the server sends a random challenge; the client responds with an HMAC-MD5 of that challenge combined with the user's NTLM hash (the MD4 hash of the user's password). Critically, the NTLM hash itself is functionally equivalent to the password for authentication purposes — if you have the hash, you can authenticate without knowing the underlying password.
Windows stores NTLM hashes in the SAM database (for local accounts) and in LSASS process memory (for cached domain account credentials). Both locations are accessible to an administrator with the appropriate tools.
Pass-the-Hash Attack Methodology
Credential Extraction with Mimikatz
Mimikatz, developed by Benjamin Delpy, is the primary tool for NTLM hash extraction from LSASS memory. From an elevated command prompt on a compromised Windows host:
privilege::debug
sekurlsa::logonpasswords
This dumps all credentials currently cached in LSASS, including plaintext passwords (when WDigest is enabled — legacy setting), NTLM hashes, and Kerberos tickets. The output includes the username, domain, NTLM hash, and any other authentication material present in memory.
Modern Windows versions (10/11/Server 2016+) with Credential Guard enabled protect LSASS using virtualization-based security, making direct memory extraction impossible. However, many enterprise environments have not deployed Credential Guard on legacy hardware.
Lateral Movement with CrackMapExec
Once an NTLM hash is extracted, CrackMapExec (now maintained as NetExec) enables rapid lateral movement across the network:
crackmapexec smb 10.10.10.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 --local-auth
This syntax passes the NTLM hash (in LM:NT format) to authenticate as the local Administrator account across an entire subnet. Any machine where this hash is valid returns a "Pwn3d!" indicator, providing immediate access. The "aad3b435b51404eeaad3b435b51404ee" portion is the empty LM hash — a placeholder in modern environments where LM hashes are disabled.
Pass-the-Ticket: Kerberos Ticket Reuse
Ticket Extraction and Injection
Pass-the-Ticket operates on Kerberos Ticket Granting Tickets (TGTs) and service tickets stored in Windows memory. These tickets can be exported and injected into other sessions:
sekurlsa::tickets /export
This creates .kirbi files for every Kerberos ticket in memory. A ticket belonging to a privileged user can then be injected into the attacker's current session:
kerberos::ptt administrator.kirbi
The session now has all the Kerberos privileges of the captured account, without needing the password or the NTLM hash.
Overpass-the-Hash
Overpass-the-Hash (also called Pass-the-Key) converts an NTLM hash into a Kerberos TGT, enabling Kerberos-based lateral movement from a captured hash. This is useful in environments where NTLM authentication is blocked but Kerberos is allowed:
sekurlsa::pth /user:jdoe /domain:corp.local /ntlm:<hash> /run:cmd.exe
This spawns a new process running under the context of the specified user, with a Kerberos TGT obtained from the domain controller using the NTLM hash as the key.
Golden and Silver Tickets
Golden Ticket attacks create forged TGTs using the NTLM hash of the KRBTGT account — the special account whose password is used to sign all Kerberos tickets in the domain. With the KRBTGT hash (obtained via DCSync or direct DC compromise), an attacker can create tickets for any user in the domain, valid for any duration, even after all user passwords are reset:
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:<hash> /ticket:golden.kirbi
Silver Tickets are similar but target specific services, using the service account's hash instead of KRBTGT. Silver Tickets are harder to detect because they never touch the domain controller — the ticket is valid for the targeted service without any DC communication.
Detection Strategies
Detecting PTH and PTT requires a layered approach:
- Event ID 4624 with Logon Type 3: Network logons using NTLM authentication where the source workstation is unusual for that user
- Event ID 4768 and 4769: Kerberos ticket requests; look for unusual user/service combinations or tickets with anomalously long lifetimes (golden tickets are often created with 10-year validity)
- Event ID 4672: Special privileges assigned to a new logon — a privileged user logging on from an unexpected source
- Abnormal lateral movement patterns: EDR solutions that baseline normal authentication behavior and alert on deviations are effective at detecting hash-based lateral movement
- Mimikatz signature detection: Most EDR platforms detect and block Mimikatz at the process level, though obfuscated variants exist
Remediation and Hardening
Protected Users Security Group
Adding privileged accounts to the Protected Users security group enforces significant restrictions: no NTLM authentication, no DES or RC4 Kerberos encryption, no credential caching, and TGT lifetime capped at 4 hours. This eliminates PTH for protected accounts and limits the utility of captured Kerberos tickets. All tier-0 accounts (Domain Admins, Enterprise Admins, KRBTGT) and tier-1 accounts should be members of Protected Users.
Windows Defender Credential Guard
Credential Guard uses virtualization-based security (VBS) to isolate LSASS in a separate security context, preventing tools like Mimikatz from reading credentials from memory. It requires hardware supporting Secure Boot, IOMMU, and 64-bit processors — all met by hardware manufactured after approximately 2015. Deployment requires enabling Hyper-V, which may have compatibility implications for some virtual machine workloads.
Tiered Administration Model
Microsoft's tiered administration model separates administrative accounts by privilege level: Tier 0 (domain controllers and identity infrastructure), Tier 1 (member servers), and Tier 2 (workstations). Each tier uses separate admin accounts that never authenticate to lower tiers. This prevents a compromised workstation from having access to credentials that can reach domain controllers. Fortress MSSP's managed network infrastructure service implements tiered administration as a baseline control for all managed environments.
Local Administrator Password Solution (LAPS)
Microsoft LAPS randomizes the local Administrator password on every domain-joined machine, storing it in Active Directory. This eliminates the scenario where a single compromised local admin password provides access to all machines — each machine has a unique, randomly-generated password rotated on a configurable schedule.
The combination of LAPS, Credential Guard, Protected Users, and SMB signing significantly raises the cost of PTH/PTT attacks to the point where most attackers will pivot to other techniques. Contact us to assess your current exposure to lateral movement attacks.