A Pass-the-Hash attack uses a technique in which an attacker captures account logon credentials on one computer and then uses those captured credentials to authenticate to other computers over the network.
1. An attacker gains a foothold on the network using tactics such as phishing, taking advantage of weak passwords, or by exploiting unpatched vulnerabilities.
2. Once comprise occurs and administrative right are obtained, an attacker may capture account credentials and use them to authenticate to other computers on the network in search of more privileged credentials.
3. If a domain administrator account is compromised during this process, the attacker is then able to access the domain controller - the central point of control for all computers, corporate identities and credentials – effectively giving them control and full access to all of the organization’s IT assets.
Click to enlarge image
Guidance for mitigating against Pass-the-Hash attacks
IT Professionals should use a planned approach in combination with the available security features in Microsoft Windows to better protect against credential theft attacks such as Pass-the-Hash.