Skip to main content
Skip to main content
Microsoft Security

New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks

  • Matt Thomlinson

Today, we released new guidance to help our customers address credential theft, called Mitigating Pass-the-Hash and Other Credential Theft, version 2. The paper encourages IT professionals to “assume breach” to highlight the need for the use of holistic planning strategies and features in Microsoft Windows to become more resilient against credential theft attacks. This paper builds on our previously released guidance and mitigations for Pass-the-Hash (PtH) attacks.

Given that organizations must continue to operate after a breach, it is critical for them to have a plan to minimize the impact of successful attacks on their ongoing operations. Adopting an approach that assumes a breach will occur, ensures that organizations have a holistic plan in place before an attack occurs. A planned approach enables defenders to close the seams that attackers are aiming to exploit.

The guidance also underscores another important point – that technical features alone may not prevent lateral movement and privilege escalation. In order to substantially reduce credential theft attacks, organizations should consider the attacker mindset and use strategies such as identifying key assets, implementing detection mechanisms, and having a breach recovery plan. These strategies can be implemented in combination with Windows features to provide a more effective defensive approach, and are aligned to the well-known National Institute of Standards and Technology (NIST) Cybersecurity Framework.

There are three important points technology leaders should understand about a PtH attack:

  • First, an attacker has to get a foothold on your network before a PtH type of attack occurs. This is commonly achieved using tactics such as phishing, taking advantage of weak passwords, or by exploiting unpatched vulnerabilities. 
  • Second, once initial administrative rights to a compromised computer are obtained, an attacker captures account login credentials on that computer, and then uses those captured credentials to authenticate to other computers on the network. 
  • Third, the ultimate goal of an attacker might be to compromise the domain controller – the central point of control for all computers, corporate identities and credentials – which effectively gives them control and full access to all of the organization’s IT assets. 

Lastly, there is no one silver bullet that solves credential theft attacks such as PtH. The risk of credential theft exists in  any type of single-sign-on implementation, both in open source and commercial  platforms. Microsoft is committed to not only furthering platform enhancements to harden against these attacks, but also to sharing guidance to help strengthen our customers’ infrastructure against these threats.

If you have responsibility for the security of your organization’s IT infrastructure, I strongly encourage you to read and apply the guidance in this whitepaper. Visit