Back to Glossary

Glossary Term

Pass-the-Hash (PtH)

A credential theft technique that uses stolen password hashes to authenticate without the plaintext password.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Pass-the-Hash (PtH)

1-minute read

What it is

Pass-the-Hash (PtH) is a credential-theft technique where an attacker uses a stolen password hash instead of the plaintext password to authenticate, most often in Windows environments using NTLM. If an attacker captures an NTLM hash from one machine, they can reuse it to move laterally without cracking the password.

Why it matters

PtH turns a single compromised endpoint into a pivot point for lateral movement, privilege escalation, and ransomware deployment. It commonly follows initial access via phishing, exposed RDP, or unpatched software.

How to reduce risk

  • Limit NTLM usage where possible and prefer stronger authentication methods.
  • Enforce least privilege by restricting local admin rights and reducing credential exposure on endpoints.
  • Use credential hygiene: unique admin credentials per system and avoid shared local admin passwords.
  • Monitor authentication events for unusual lateral logons or hash reuse.
  • Enable protections such as Credential Guard and harden endpoints.

Related terms

External resources

  • Microsoft: Mitigating Pass-the-Hash (overview & guidance): https://learn.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
  • MITRE ATT&CK: Pass the Hash (T1550.002): https://attack.mitre.org/techniques/T1550/002/