Magic Quadrant™ for Privileged Access Management 2025: Netwrix Recognized for the Fourth Year in a Row. Download the report.

Contact usSupportCommunity
English Español Italiano Français Deutsch Português
Platform
Solutions

Data Security Posture Management

Discover and classify data in hybrid environments. Assess, prioritize, and mitigate risks to sensitive data.

Directory Management

Simplify and secure directory operations by cutting down on complexity, risk, and manual effort.

Endpoint Management

Secure endpoints and prevent data loss while keeping teams productive — no matter where they work.

Identity Management

Secure every identity, streamline every process, and stay ahead of compliance — without adding complexity.

Identity Threat Detection & Response

Stay ahead of identity-based threats — proactively remediate risks, block attacks, and ensure rapid recovery.

Privileged Access Management

Shrink your attack surface by killing standing privileges, locking down credentials, and monitoring privileged sessions.
Featured Products See all products
Netwrix AuditorNetwrix Access AnalyzerNetwrix PingCastleNetwrix Endpoint Protector

The Netwrix 1Secure™ Platform

Explore
Netwrix AI Environments we protect Integrations MSPs Active Directory Security Risks Compliance Pricing
Resource Center See All
BlogAttack CatalogComplianceCustomer StoriesCybersecurity FrameworksCybersecurity GlossaryEventsFreewareGuidesIdeas PortalNewsPodcastsPublicationsProduct AnnouncementsResearchWebinars
Asset not found

Featured Customer Story

DXC Technology Enables Customers to Achieve PCI DSS Compliance and Focus on Strategic Initiatives
Partners
Partner ProgramBecome a PartnerMSPsPartner LocatorWebinars
Asset not found

Featured Customer Story

AppRiver Enhances Control over Active Directory While Significantly Reducing Auditing Time
Asset not found

Featured Customer Story

MSP Helps Client Recover from Ransomware in 6 Hours
Why Netwrix
About UsLeadershipNetwrix AICustomer StoriesRecognitionNewsCareers
Asset not found

Featured Customer Story

Horizon Leisure Centres Accelerates Data Classification to Comply with GDPR and Saves £80,000 Annually
Asset not found

Featured Customer Story

Samsung R&D Institute Secures Data with Cross-Platform Use and Fast macOS Deployment Using Netwrix Endpoint Protector
Resource centerBlog
Performing Pass-the-Hash Attacks with Mimikatz

Performing Pass-the-Hash Attacks with Mimikatz

Nov 30, 2021

Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks, and creating domain persistence through Golden Tickets.

Let’s take a look at how easy Mimikatz makes it to perform pass-the-hash and other authentication-based attacks, and what you can do to protect against these attacks.

Handpicked related content:

How Passing the Hash with Mimikatz Works

All you need to perform a pass-the-hash attack is the NTLM hash from an Active Directory user account. This could be extracted from the local system memory or the Ntds.dit file from an Active Directory domain controller.

With the hash from the Ntds.dit file in hand, Mimikatz can enable us to perform actions on behalf of the Administrator account within the domain. First, I will log into my computer as the user Adam, who has no special privileges within the domain:

Image

As Adam, if I try to execute PSExec, a tool that allows remote PowerShell execution, against my domain controller, I receive an access denied message:

Image

But by issuing a command with Mimikatz, I can elevate the account to a Domain Administrator account and launch whatever process I specify with this elevated token. In this case, I will launch a new command prompt:

Image

From this command prompt, I can perform activities as Jeff, a Domain Administrator, while Windows still thinks I am Adam. Here you can see I am now able to launch the PSExec session and enumerate the contents of my domain controller’s NTDS directory using the pass-the-hash technique:

Image

With the Ntds.dit file decrypted, every user’s password hash is in my control, so I can perform actions on behalf of any user just as easily. This is a scary way to not only gain unlimited access but to cover my tracks and blend in as though I am the users who I am impersonating.

Protecting Against Pass the HashPass the hash is difficult to prevent, but Windows has introduced several features to make it harder to execute. The most effective approach is to implement logon restrictions so your privileged account hashes are never stored where they can be extracted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures privileged accounts will be significantly harder to compromise using such methods. Other ways to protect against pass the hash include enabling LSA Protection, leveraging the Protected Users security group and using Restricted Admin mode for Remote Desktop.

In addition to establishing proper upfront security, it’s vital to monitor authentication and logon activity for abnormalities that can indicate an attack in progress. These attacks often follow patterns in which accounts are used in ways that are not normal. Being alerted to this activity as it occurs can enable you to detect and respond to an attack before it is too late.

How Netwrix Solutions Can Help

Netwrix Threat Manager is an effective tool for detecting pass-the-hash attacks. Here are two approaches that the solution supports:

Honey tokens — You can inject fake credentials into LSASS memory on target machines and monitor for the usage of those credentials. If you see the credentials in use, you know they were retrieved from memory on one of the honeypot machines and used for lateral movement.

Abnormal behavior detection — Baselining normal user behavior helps you spot anomalous use of accounts that is indicative of pass-the-hash and other lateral movement attacks. Behavior to look for includes:

  • An account being used from a host it never authenticated from before
  • An account being used to access a host it never before accessed
  • An account accessing a large number of hosts across the network in a way that contradicts normal access pattern

To mitigate the risk of pass-the-hash attacks being launched in the first place, use Netwrix Access Analyzer which empowers you to:

  • Minimize administrative rights on servers and desktops
  • Prevent users from logging into workstations using administrative rights
  • Monitor for suspicious PowerShell commands that can be used for performing credential extraction and pass the hash
  • Restrict highly privileged accounts from logging into lower privileged systems
  • Ensure that LSA Protection is enabled on critical systems to make it more difficult to extract credentials from LSASS

Netwrix Access Analyzer

Get enterprise-grade discovery, classification and remediation of sensitive data.

Share on

Learn More

About the author

A man in a blue jacket and plaid shirt smiles for the camera

Jeff Warren

Chief Product Officer

Jeff Warren oversees the Netwrix product portfolio, bringing over a decade of experience in security-focused product management and development. Before joining Netwrix, Jeff led product organization at Stealthbits Technologies, where he used his experience as a software engineer to develop innovative, enterprise-scale security solutions. With a hands-on approach and a knack for solving tough security challenges, Jeff is focused on building practical solutions that work. He holds a BS in Information Systems from the University of Delaware.

Learn more on this subject

Risk Analysis Example: How to Evaluate Risks

The CIA Triangle and Its Real-World Application

Create AD Users in Bulk and Email Their Credentials Using PowerShell

How to Add and Remove AD Groups and Objects in Groups with PowerShell

Active Directory Attributes: Last Logon

Latest blogs

The next five minutes of compliance: building identity-first data security across Asia-Pacific & Japan

Configuration management for secure endpoint control

Data classification and DLP: Prevent data loss, prove compliance

CMMC compliance and the critical role of MDM-style USB control in protecting CUI

DSPM, ASM, and ITDR: Building a Data-Driven, Exposure-Aware Security Strategy

From noise to action: turning data risk into measurable outcomes

AI at Work: Speed, Risk, and Why Simplicity Wins

Data Privacy Laws by State: Different Approaches to Privacy Protection

Risk Analysis Example: How to Evaluate Risks

The CIA Triangle and Its Real-World Application

Our top articles

Common Types of Network Devices and Their Functions

How to Run PowerShell Script from Task Scheduler

How to Install & Use Active Directory Users and Computers (ADUC)?

Download and Install PowerShell 7

The Largest and Most Notorious Cyber Attacks in History

Essential PowerShell Commands: A Cheat Sheet for Beginners

An Overview of the MGM Cyber Attack

Extracting Password Hashes from the Ntds.dit File

Guide to Mounting Unix Shares with a Windows NFS Client

How Insecure and Vulnerable Open Ports Pose Serious Security Risks