What Is a Pass-the-Hash Attack? 

A pass-the-hash (PtH) attack is a cyberattack where threat actors steal encrypted—or hashed—user credentials. Stored hashed passwords are leveraged to create new authenticated sessions on the target network, granting threat actors access to a system. PtH enables threat actors to move laterally within compromised networks, extracting sensitive information and credentials to carry out additional malicious activities.  

How Pass-the-Hash Attacks Work

Hashing employs an encryption algorithm to convert user passwords into fixed-length strings of characters. This makes it difficult to reverse-engineer the original passwords and ensures they are not stored in plain text. Threat actors use operating systems that support hashing, such as Windows.

Pass-the-Hash Attack Steps

1. Infiltration

Social engineering techniques are typically employed to breach networks. Once inside a system, various techniques are leveraged to infiltrate credential storage and access hashed passwords.

2. Extraction

Rather than decrypting hashed passwords, threat actors extract them from the system’s memory or database, bypassing the need for actual passwords during authentication and gaining them access to the system.

3. Advancement

Once unauthorized entry has been secured, threat actors gain complete control over systems, enabling lateral movement. They expand their reach across networks by escalating domain privileges and infiltrating more systems.

Examples of Pass-the-Hash Attacks

Electrobras & Copel

In February 2021, Centrais Elétricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), two significant Brazilian electric utility firms, were targets of ransomware attacks facilitated by PtH methodology. Threat actors extracted hashed passwords from the active directory database and moved laterally to obtain sufficient permissions to execute the ransomware assault.

Microsoft Exchange Server (Hive) Compromise

In April 2022, the Hive ransomware-as-a-service (RaaS) platform deployed a coordinated PtH attack against numerous Microsoft Exchange Server clients across multiple industries. The assault used a Microsoft Exchange Server vulnerability identified as ProxyShell, which threat actors leveraged to plant a backdoor web script on the Exchange server and execute malicious activities. 

How to Prevent Pass-the-Hash Attacks

Effective security strategies to prevent PtH attacks include the following:

Zero Trust Network Access (ZTNA)

ZTNA enforces strict authentication and authorization controls, requiring additional verification factors beyond passwords. This cybersecurity solution significantly reduces the risk of stolen hashed credentials being exploited for unauthorized access.

Managed Detection and Response (MDR)

MDR is a proactive solution against cyber threats, continuously monitoring all networks and endpoints. It leverages threat detection and rapid incident response, mitigating system breaches and preventing potential impacts of cyberattacks.

Password Management

Enforcing frequent password changes and unique administrative credentials minimizes PtH attacks, as it prevents threat actors from leveraging password vulnerabilities. 

Principle of Least Privilege (PoLP)

PoLP limits user access to only the essential resources and privileges needed to perform tasks, reducing the potential impact of compromised systems. If a system is breached, PoLP ensures threat actors have limited capabilities, preventing them from moving laterally or accessing more sensitive data.

CylanceGUARD for 24x7x365 MDR

As a human-centric 24x7x365 Managed Detection and Response, CylanceGUARD® provides the cybersecurity expertise and support businesses need. CylanceGUARD combines the expertise embodied by BlackBerry Cybersecurity Services with an AI-based Endpoint Protection (EPP) through CylanceENDPOINT™. CylanceGUARD provides businesses with everything they need to contend with a modern threat landscape—no matter what that landscape throws at them.  

Learn More

More Resources