Pass the Hash Cyberattack: How to Protect Yourself
Hello everyone. Today, we’re presenting a short webinar on Pass the Hash. I’m joined by Mathieu ADELAIDE, our subject-matter consultant who’ll cover the technical part. I’m Jérôme BEAUNE, Director of Operations at PI Services. I’ll start with a brief introduction to PI Services and our managed services offering. Then we’ll explain the Pass the Hash concept, how it works, and most importantly—how to protect yourself against it.
You’ll also see how managed services can help reduce the risks and impacts of such attacks. The session will last about 45 minutes, and you’ll be able to ask questions at the end.
To be clear, this isn’t a sales pitch—but in brief: PI Services is a 25-year-old IT services company. We specialise in architecture, historically with a strong Microsoft focus, and have now expanded to other technologies. We operate across three types of environments: on-premises, hybrid, and cloud (both private and public).
We work around five areas of expertise:
Identity
Security (today’s main topic)
Infrastructure
Collaboration & unified communications
Endpoint management (workstations and more)
As an ESN, we support clients with:
Audits and consulting (architecture, security, financial planning)
Implementation (infrastructure, SaaS/GaaS deployment, change management)
Managed Services (our focus today, including solutions to mitigate Pass the Hash attacks)
Within Managed Services, our main areas are:
Operational Maintenance (MCO): recurring tasks like updates, log analysis, etc., tailored to threats like Pass the Hash
Support: assistance during or after an attack
Custom Requests: security audits, Tiering Model implementation, traffic filtering, and more
We operate across all technical domains: infrastructure, software, networks, security, user support, and workstations.
Here are some quick client references:
OCD: Expert support, including Microsoft Premier Support.
Ministry of Agriculture: MCO for email systems.
CityOne: Full IT system management.
Radio France: Support and projects including Tiering Model and account isolation—key defences against Pass the Hash.
And now, over to Mathieu for the main presentation.
Hello, I’m Mathieu ADELAIDE, and I’ve been with PI Services for several years now. I mainly work on Active Directory and identity. Today, we’ll go through Pass the Hash in layman’s terms—what it is, how it works, and how to protect against it. We’ll keep it accessible, and we’ll take questions at the end.
So, what is Pass the Hash? This attack can have many motivations: corporate espionage, data exfiltration, ransom, revenge, or even just curiosity. Some hackers target companies purely for the challenge. And once inside a system, you never know for how long—unless you rebuild your entire infrastructure, which we all want to avoid.
This attack is often used to gain privileged access or exfiltrate data. It’s essentially identity theft, where an attacker captures a user’s login and hashed password (without needing the actual password).
But what’s a hash? A hash is the result of a mathematical function—used during authentication. When you enter your password, it gets hashed and compared against a stored hash in Active Directory. The system doesn’t store your actual password, just the hash.
These hashes are stored in memory—specifically in the LSASS process—after you log in, so they can be reused (like SSO) when accessing resources.
The Attack: Step-by-Step
Gain local admin rights on a machine (often not too difficult).
Dump the LSASS process, where credentials are stored.
Export the dump (USB or over the network).
Use tools like Mimikatz to extract the hash and request a Kerberos ticket.
The attack is valid for as long as the password isn’t changed—meaning the attacker can reuse it indefinitely.
Simple Real-World Example
Let’s say a user walks away from their workstation without locking it. If that user is an admin, all an attacker needs is a USB stick to dump LSASS and walk away. It takes less than 15 seconds.
Back on their own machine (even one outside the domain), they can:
Plug into the corporate network
Load Mimikatz
Import the dump
Extract the hash
Use it to impersonate the user and request a Kerberos ticket
Access servers and resources—often without detection
Preventing Pass the Hash
Completely preventing Pass the Hash is extremely difficult, but mitigating it is very possible. Here are some best practices:
Keep systems up to date (patch management is critical)
Enable Windows Defender Credential Guard
Don’t disable firewalls just for convenience
Use Protected Users groups for privileged accounts (but beware of impact)
Separate privileges: domain admins should never log into workstations
Apply the principle of least privilege
Regularly review access rights
Enable audit logs for registry and process creation (but manage volume)
Use monitoring tools like SCOM, Zabbix, Splunk, Azure Monitor
Limit rights for software vendors, especially those asking for domain admin
Use GMSA (Group Managed Service Accounts) for automatic password rotation
Avoid populating privileged groups like Enterprise Admin or Schema Admin unnecessarily
A stolen hash from a privileged account can do enormous damage. Implementing account silos (Tiering Model) can help isolate access and reduce risk.
Thanks, Mathieu. If you have questions, we’re live in the chat. Feel free to ask anything.
To wrap up: everything we’ve discussed—update management, log analysis, account silos, alert customisation—is part of our Managed Security Services. For some clients, we secure both on-prem and cloud systems (Azure, Office 365) with:
Custom scripts to detect abnormal behaviour
Scheduled reviews tailored to data sensitivity
Constantly evolving supervision and monitoring
As threats evolve, so do our methods.
Thanks again for joining us today—we hope it was helpful. We're available via chat or later by email if you have further questions. You’ll see our contact details on the final slide. We can also offer more tailored demos or security audits (e.g. for Tiering Model or access rights). Don’t hesitate to reach out.
Interested in our offers? Contact us at +33 1 55 85 08 92 or contact@piservices.fr
Hello everyone. Today, we’re presenting a short webinar on Pass the Hash. I’m joined by Mathieu ADELAIDE, our subject-matter consultant who’ll cover the technical part. I’m Jérôme BEAUNE, Director of Operations at PI Services. I’ll start with a brief introduction to PI Services and our managed services offering. Then we’ll explain the Pass the Hash concept, how it works, and most importantly—how to protect yourself against it.
You’ll also see how managed services can help reduce the risks and impacts of such attacks. The session will last about 45 minutes, and you’ll be able to ask questions at the end.
To be clear, this isn’t a sales pitch—but in brief: PI Services is a 25-year-old IT services company. We specialise in architecture, historically with a strong Microsoft focus, and have now expanded to other technologies. We operate across three types of environments: on-premises, hybrid, and cloud (both private and public).
We work around five areas of expertise:
Identity
Security (today’s main topic)
Infrastructure
Collaboration & unified communications
Endpoint management (workstations and more)
As an ESN, we support clients with:
Audits and consulting (architecture, security, financial planning)
Implementation (infrastructure, SaaS/GaaS deployment, change management)
Managed Services (our focus today, including solutions to mitigate Pass the Hash attacks)
Within Managed Services, our main areas are:
Operational Maintenance (MCO): recurring tasks like updates, log analysis, etc., tailored to threats like Pass the Hash
Support: assistance during or after an attack
Custom Requests: security audits, Tiering Model implementation, traffic filtering, and more
We operate across all technical domains: infrastructure, software, networks, security, user support, and workstations.
Here are some quick client references:
OCD: Expert support, including Microsoft Premier Support.
Ministry of Agriculture: MCO for email systems.
CityOne: Full IT system management.
Radio France: Support and projects including Tiering Model and account isolation—key defences against Pass the Hash.
And now, over to Mathieu for the main presentation.
Hello, I’m Mathieu ADELAIDE, and I’ve been with PI Services for several years now. I mainly work on Active Directory and identity. Today, we’ll go through Pass the Hash in layman’s terms—what it is, how it works, and how to protect against it. We’ll keep it accessible, and we’ll take questions at the end.
So, what is Pass the Hash? This attack can have many motivations: corporate espionage, data exfiltration, ransom, revenge, or even just curiosity. Some hackers target companies purely for the challenge. And once inside a system, you never know for how long—unless you rebuild your entire infrastructure, which we all want to avoid.
This attack is often used to gain privileged access or exfiltrate data. It’s essentially identity theft, where an attacker captures a user’s login and hashed password (without needing the actual password).
But what’s a hash? A hash is the result of a mathematical function—used during authentication. When you enter your password, it gets hashed and compared against a stored hash in Active Directory. The system doesn’t store your actual password, just the hash.
These hashes are stored in memory—specifically in the LSASS process—after you log in, so they can be reused (like SSO) when accessing resources.
The Attack: Step-by-Step
Gain local admin rights on a machine (often not too difficult).
Dump the LSASS process, where credentials are stored.
Export the dump (USB or over the network).
Use tools like Mimikatz to extract the hash and request a Kerberos ticket.
The attack is valid for as long as the password isn’t changed—meaning the attacker can reuse it indefinitely.
Simple Real-World Example
Let’s say a user walks away from their workstation without locking it. If that user is an admin, all an attacker needs is a USB stick to dump LSASS and walk away. It takes less than 15 seconds.
Back on their own machine (even one outside the domain), they can:
Plug into the corporate network
Load Mimikatz
Import the dump
Extract the hash
Use it to impersonate the user and request a Kerberos ticket
Access servers and resources—often without detection
Preventing Pass the Hash
Completely preventing Pass the Hash is extremely difficult, but mitigating it is very possible. Here are some best practices:
Keep systems up to date (patch management is critical)
Enable Windows Defender Credential Guard
Don’t disable firewalls just for convenience
Use Protected Users groups for privileged accounts (but beware of impact)
Separate privileges: domain admins should never log into workstations
Apply the principle of least privilege
Regularly review access rights
Enable audit logs for registry and process creation (but manage volume)
Use monitoring tools like SCOM, Zabbix, Splunk, Azure Monitor
Limit rights for software vendors, especially those asking for domain admin
Use GMSA (Group Managed Service Accounts) for automatic password rotation
Avoid populating privileged groups like Enterprise Admin or Schema Admin unnecessarily
A stolen hash from a privileged account can do enormous damage. Implementing account silos (Tiering Model) can help isolate access and reduce risk.
Thanks, Mathieu. If you have questions, we’re live in the chat. Feel free to ask anything.
To wrap up: everything we’ve discussed—update management, log analysis, account silos, alert customisation—is part of our Managed Security Services. For some clients, we secure both on-prem and cloud systems (Azure, Office 365) with:
Custom scripts to detect abnormal behaviour
Scheduled reviews tailored to data sensitivity
Constantly evolving supervision and monitoring
As threats evolve, so do our methods.
Thanks again for joining us today—we hope it was helpful. We're available via chat or later by email if you have further questions. You’ll see our contact details on the final slide. We can also offer more tailored demos or security audits (e.g. for Tiering Model or access rights). Don’t hesitate to reach out.
Interested in our offers? Contact us at +33 1 55 85 08 92 or contact@piservices.fr