How does Pass-the-Hash differ from traditional password theft?

Pass-the-Hash attacks steal the hashed version of passwords stored in Windows systems rather than plaintext passwords. Attackers exploit the NTLM protocol which allows authentication using these hashes directly, bypassing the need to crack or obtain the actual password. The hashes remain valid until the user resets their password, providing persistent access.

What automated responses can Log360 trigger when detecting Pass-the-Hash activity?

Log360's SOAR capabilities enable automated response workflows including terminating suspicious processes or services, disabling compromised user accounts, and isolating affected devices. These actions can be configured through alert profiles associated with response workflows to contain threats immediately upon detection.

ManageEngine: Detecting Pass-the-Hash Attacks with Log360

Name: ManageEngine: Detecting Pass-the-Hash Attacks with Log360
Uploaded: 2026-03-26T17:23:06-04:00
Duration: 5 min 44 s
Description: TL;DR Pass-the-Hash attacks exploit NTLM protocol to authenticate using stolen password hashes instead of plaintext passwords, enabling attackers to maintain persistent access until passwords are reset. Log360 provides MITRE ATT&CK-aligned detection re...

Manage Engine

03/26/2026

0 (0%)

Report Like Favorite

Transcript

from Manage Engine to detect Pass-the-Hash activity. Pass-the-Hash is an identity-based attack in which adversaries pose as legitimate users to gain unauthorized access to a network. It is a type of credential theft technique where attackers compromise the hashed values of a user's credentials to create a new user session on the same network. The hashed values are compromised by exploiting the NTLM protocol, which typically allows a user to log in using stored password hashes without requiring the submission of a plain text password. Thus, instead of compromising the actual password, attackers steal the stored version of the password, i.e. the hashed values, to sneak into the network. Additionally, these hashed values remain the same until the user resets the password. Therefore, until and unless a user resets the password, attackers enjoy unlimited access to the network and its resources, aiding lateral movement and privilege escalation. Now let's explore how a Pass-the-Hash attack read out. Initially, attackers gain unauthorized access to the target network via phishing campaigns or by exploiting vulnerabilities. They then utilize hash-dumping tools like Mimikatz to extract user accounts and password hashes. These hashes are generally stored in the Windows Systems Security Accounts Manager, local security authority subsystem process memory, and the NTDS directory database in Active Directory. The attackers exploit the NTLM protocol and use the password hashes to authenticate to other system resources. If the user account has excessive privileges or if the same credentials are used across multiple systems, lateral movement becomes much easier. The attacker hops from one machine to another until they locate an account with higher privileges such as a domain administrator. Finally, after achieving the required privileges, attackers may execute other cyber attacks like ransomware and cause damage to data security and the integrity of the network. Now let's see how a unified SIM solution like Log360 can help in a situation like this. Log360 provides out-of-the-box reports to detect pass-the-hash activity. You can find this under the Reports tab of Event Log Analyzer or the SIM module of Log360. As pass-the-hash is an important technique under the MITRE ATT&CK framework, you can find the report under Defense Evasion under MITRE ATT&CK Reports. You can find pass-the-hash activity report under Use Alternate Authentication Material. Using log analysis and Sysvon analysis, Log360 accurately spots successful authentications that happen without passwords. It gives us a visual representation of the frequency of pass-the-hash activity in the network. It also provides details such as when the event occurred, the IP address of the device involved, the event ID, the severity of the event, the logon type, the process name, and the remote device involved. Log360 also comes with SOAR capabilities. This means that if you associate a response workflow with an alert profile, Log360 will be able to carry out certain automated actions such as terminating a process or service and disabling a device or user. However, to prevent future attacks, here are some steps you can take. Enforce mandatory password resets periodically and follow strong password policies. Review and audit system processes periodically. Identify gaps or weaknesses by reviewing and updating your security policies. Implement MFA, review user privileges, and grant access based on the principle of least privilege. And lastly, invest in employee training and user education to prevent future attacks. If you have any questions or would like to get a personalized demo, please send an email to log360-support at manageengine.com. Thank you for watching this video. If you wish to see Log360 in action, visit this link and download our project. You can also get a free 30-day trial of Log360 and evaluate how it satisfies your requirements.

TL;DR

Pass-the-Hash attacks exploit NTLM protocol to authenticate using stolen password hashes instead of plaintext passwords, enabling attackers to maintain persistent access until passwords are reset.
Log360 provides MITRE ATT&CK-aligned detection reports that identify successful authentications without passwords through log and Sysmon analysis, with visual frequency tracking and detailed event metadata.
The solution includes SOAR capabilities for automated incident response such as terminating malicious processes, disabling compromised accounts, and isolating affected devices when Pass-the-Hash activity is detected.

Summary

This demonstration explains how ManageEngine's Log360 SIEM solution detects Pass-the-Hash attacks, a credential theft technique where attackers exploit NTLM protocol vulnerabilities to authenticate using stolen password hashes rather than plaintext passwords. The video walks through the attack methodology—from initial compromise through hash extraction using tools like Mimikatz to lateral movement and privilege escalation—and demonstrates Log360's out-of-the-box detection capabilities. The solution provides MITRE ATT&CK-aligned reporting under the Defense Evasion tactic, offering visual analytics and detailed event logging including IP addresses, event IDs, logon types, and process names. Log360's SOAR capabilities enable automated response workflows such as process termination and device/user disabling when Pass-the-Hash activity is detected. The presentation concludes with preventive best practices including mandatory password resets, MFA implementation, least privilege access controls, and security policy auditing.

Chapters

0:00 - Introduction to Pass-the-Hash Detection
0:17 - Understanding Pass-the-Hash Attacks
1:34 - Attack Methodology and Progression
3:02 - Log360 Detection Capabilities
4:38 - Prevention Best Practices

Key Quotes

0:17 "Pass-the-Hash is an identity-based attack in which adversaries pose as legitimate users to gain unauthorized access to a network."
1:18 "These hashed values remain the same until the user resets the password. Therefore, until and unless a user resets the password, attackers enjoy unlimited access to the network and its resources, aiding lateral movement and privilege escalation."
3:44 "Using log analysis and Sysvon analysis, Log360 accurately spots successful authentications that happen without passwords."
4:22 "Log360 also comes with SOAR capabilities. This means that if you associate a response workflow with an alert profile, Log360 will be able to carry out certain automated actions such as terminating a process or service and disabling a device or user."

Categories:

» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

06/25/2026

01:00 PM

06/25/2026

Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier

https://www.truthinit.com/index.php/channel/1998/generative-ai-security-preventing-ai-from-becoming-a-data-breach-multiplier/
06/30/2026

01:00 PM

06/30/2026

Mastering Active Directory Certificate Services for Long-Term Success

https://www.truthinit.com/index.php/channel/2018/mastering-active-directory-certificate-services-for-long-term-success/
07/01/2026

04:00 AM

07/01/2026

Integrating Security in AI: Automated Red Teaming Strategies for Private Models

https://www.truthinit.com/index.php/channel/1969/integrating-security-in-ai-automated-red-teaming-strategies-for-private-models/
07/01/2026

04:00 AM

07/01/2026

Schutz von KI in Anwendungen, Agenten und APIs.

https://www.truthinit.com/index.php/channel/2008/schutz-von-ki-in-anwendungen-agenten-und-apis/
07/01/2026

01:00 PM

07/01/2026

Preventing Your AI from Turning Against You: Essential Strategies

https://www.truthinit.com/index.php/channel/2021/preventing-your-ai-from-turning-against-you-essential-strategies/
07/02/2026

10:00 AM

07/02/2026

When the cloud goes dark: Resilience lessons from hybrid threats

https://www.truthinit.com/index.php/channel/2011/resilience-insights-from-hybrid-threats-when-the-cloud-faces-challenges/
07/09/2026

01:00 PM

07/09/2026

The HUMAN Experience: Implementing AgenticTrust for Transformative Engagement

https://www.truthinit.com/index.php/channel/2026/the-human-experience-implementing-agentictrust-for-transformative-engagement/
07/14/2026

01:00 PM

07/14/2026

Crafting a Championship-Quality Security Team for Unmatched Defense

https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-quality-security-team-for-unmatched-defense/
07/21/2026

04:00 AM

07/21/2026

Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
07/21/2026

01:00 PM

07/21/2026

HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
07/22/2026

06:30 AM

07/22/2026

Understanding the Dynamics of Data Privacy and Protection Regulations

https://www.truthinit.com/index.php/channel/2000/understanding-the-dynamics-of-data-privacy-and-protection-regulations/
07/28/2026

01:00 PM

07/28/2026

Illumio + Netskope: Zero Trust in the Age of AI Autonomy

https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
07/29/2026

04:00 AM

07/29/2026

Real-Time Strategies for Safeguarding Against Prompt Injections

https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
08/19/2026

12:00 PM

08/19/2026

Witness Cyera Agent Security in Action: A Firsthand Experience

https://www.truthinit.com/index.php/channel/2036/witness-cyera-agent-security-in-action-a-firsthand-experience/
09/30/2026

04:00 AM

09/30/2026

AI Command Center: Optimizing Visibility and Control in Your Operations

https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/