How It Works (Step-by-Step)
- Initial Compromise
- Attacker gains access to a Windows machine (via phishing, exploit, or misconfig).
- They escalate privileges to access LSASS memory.
- Hash Extraction
- Tools like
Mimikatz,ProcDump, orPypykatzare used to dump LSASS. - Extracted NTLM hashes include those of local admins or domain users.
- Tools like
- Authentication Replay
- Using tools like
pth-winexe,Impacket, orCobalt Strike, the attacker authenticates to another system by passing the hash. - No password cracking required—just hash injection.
- Using tools like
- Lateral Movement
- Attacker pivots across systems using the same hash.
- If local admin passwords are reused across machines, one hash unlocks many endpoints.
- Privilege Escalation & Persistence
- Attacker may target DCs, dump more hashes, create backdoors, or exfiltrate data.
🛡️ Why It’s Dangerous
- Bypasses password complexity: Doesn’t matter how strong the password is.
- Evades detection: Appears as legitimate user activity.
- Enables rapid lateral movement: Especially in flat networks or with reused credentials.
🔐 Mitigation Strategies
| Defense Layer | Action |
|---|---|
| Credential Hygiene | Use unique local admin passwords (LAPS), enforce password rotation |
| Memory Protection | Enable Credential Guard, isolate LSASS |
| Logging & Detection | Monitor for LSASS access, unusual SMB/RDP logins |
| Network Segmentation | Limit lateral movement paths, restrict admin access |
| MFA & PAM | Use multi-factor authentication and privileged access management |