How to Detect Pass-the-Hash Attacks in Windows Event Logs

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Pass-the-hash bypasses password authentication entirely: an attacker who extracts an NTLM hash from LSASS memory or an SAM database dump can authenticate to any Windows system that accepts that account's credentials, without ever cracking the password. The defense requires detecting the authentication event, not the credential theft.
The good news: PtH leaves a specific fingerprint in Windows Security event logs. The challenge is that NTLM authentication is also used legitimately: the detection requires understanding which NTLM authentication patterns are normal in your environment and which are not.
The Three Event IDs That Matter
Event ID 4624: Successful logon (the primary detection target):
This event fires on the destination machine (the system being authenticated to). For pass-the-hash detection, the fields that matter are:
LogonType: Must be3(Network logon). PtH uses network authentication, not interactive or service logon.AuthenticationPackageName: Will beNTLMfor PtH. Kerberos authentication uses theKerberospackage. SeeingNTLMon a machine that should only accept Kerberos is a flag.WorkstationName: The hostname of the source machine. In a PtH attack, this often does not match where the account is expected to authenticate from.SubjectUserName: The account being used. If this is a Domain Admin account authenticating via NTLM Type 3 to a workstation, that is highly suspicious: DA accounts should use Kerberos for domain operations.IpAddress: The source IP. Compare against the account's expected source IPs.
Event ID 4625: Failed logon:
Failed PtH attempts appear as Type 3 NTLM failures. High volumes of Type 3 NTLM failures from a single source IP against multiple targets in a short time window indicate an attacker testing harvested hashes.
Event ID 4648: Explicit credential use:
Event 4648 fires when an account provides credentials explicitly (runas, network drive mapping with credentials). Legitimate lateral movement by IT staff using alternate credentials generates 4648. Pass-the-hash does NOT generate 4648: the attacker is not providing credentials, they are injecting a hash. Seeing 4624 Type 3 NTLM without a corresponding 4648 from the source workstation is a stronger PtH indicator.
What Normal NTLM Type 3 Looks Like
Before writing detection rules, understand your environment's legitimate NTLM Type 3 traffic:
Legitimate NTLM Type 3 sources:
- Windows Firewall with Advanced Security communicating between workstations
- File server access using older SMBv1 clients (legacy Windows 7/Server 2008)
- Printers and MFPs that use NTLM for authentication to file shares
- Network-attached storage (NAS) devices running older Samba versions
- Applications configured to use NTLM explicitly (older web applications with Windows authentication)
- Local account authentication on non-domain-joined machines
Suspicious NTLM Type 3 patterns (PtH indicators):
- Domain Admin account authenticating via NTLM Type 3 to a workstation (DA accounts should use Kerberos)
- Any high-privilege account appearing in NTLM Type 3 events on machines it does not normally access
- NTLM Type 3 authentications from a single source in rapid succession to multiple different destinations (hash spray pattern)
- NTLM Type 3 from a workstation IP to a server at unusual hours (2 AM lateral movement is different from 9 AM helpdesk access)
- NTLM Type 3 where
WorkstationNameis blank or contains a generic hostname inconsistent with your naming convention
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Splunk and KQL Detection Rules
Splunk SPL: High-privilege NTLM lateral movement:
index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
| eval account_lower=lower(Account_Name)
| lookup privileged_accounts.csv account_name as account_lower OUTPUTNEW is_privileged
| where is_privileged="true"
| where NOT match(Workstation_Name, "^(DC01|DC02|MGMT)")
| stats count by Account_Name, Workstation_Name, IpAddress, _time
| where count > 0
| sort -_time
This rule alerts when a privileged account (DA, Schema Admin, etc.) uses NTLM Type 3 authentication from a non-domain-controller, non-management-server source. Build privileged_accounts.csv from the Domain Admin audit you ran previously.
Splunk SPL: NTLM hash spray (rapid multi-target authentication):
index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
| bucket _time span=5m
| stats dc(ComputerName) as unique_targets, values(ComputerName) as targets by Account_Name, IpAddress, _time
| where unique_targets > 5
| table _time, Account_Name, IpAddress, unique_targets, targets
Five or more distinct destination machines from the same account and source IP within a 5-minute window indicates a hash being tested across multiple targets.
Microsoft Sentinel KQL: NTLM Type 3 from privileged accounts:
let privilegedAccounts = dynamic(["Administrator", "svc-sql", "backup-admin"]); // populate from your DA audit
SecurityEvent
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where Account has_any (privilegedAccounts)
| where WorkstationName !in ("DC01", "DC02", "MGMT-SERVER") // known legitimate sources
| project TimeGenerated, Account, WorkstationName, IpAddress, Computer
| sort by TimeGenerated desc
Reducing False Positives
Run both rules in Report-only or monitor mode for 14 days before enabling alerts. The most common false positive sources:
Service accounts with NTLM-dependent applications: Some backup agents, monitoring tools, and legacy LOB applications authenticate via NTLM Type 3 from a fixed source IP. Identify these by their consistency: same source, same destination, same time pattern, every day. Exclude by source IP AND destination combination.
Printer and MFP scan-to-folder: These devices authenticate via NTLM to file shares. The source IP is the device IP; the destination is the file server. Exclude by device IP range if these are managed assets.
IT staff using runas or alternate credentials legitimately: These generate 4648 before 4624. Create a correlation exclusion: if 4648 appears from the same source within 30 seconds of the 4624, it is likely legitimate alternate credential use rather than PtH.
After tuning: The remaining NTLM Type 3 alerts for privileged accounts should be near-zero in normal operations. Any alert that fires after tuning represents either a genuine PtH attempt or a new legitimate application that needs documentation and exclusion.
The bottom line
Pass-the-hash appears in Windows Security logs as Event ID 4624, Logon Type 3, Authentication Package NTLM, from a source that does not match the account's normal authentication pattern. Detection requires knowing your baseline NTLM traffic first: privileged account NTLM Type 3 authentications from unexpected sources and rapid multi-target NTLM sequences are the two highest-signal indicators. Run both Splunk and KQL rules in report-only mode for 14 days to identify legitimate NTLM sources before enabling live alerts.
Frequently asked questions
What Windows event ID detects pass-the-hash?
Event ID 4624 with Logon Type 3 (network logon) and Authentication Package Name = NTLM on the destination machine. For higher-fidelity detection, correlate with the absence of Event ID 4648 (explicit credential use) from the source: legitimate credential delegation generates 4648, while pass-the-hash does not.
How do you detect pass-the-hash without a SIEM?
On a domain controller, filter the Security event log for Event ID 4624 where Logon Type is 3 and the Authentication Package is NTLM. Look specifically for domain admin accounts appearing in NTLM Type 3 events from workstation source IPs: domain admins should authenticate via Kerberos, not NTLM, for domain operations.
What is the difference between pass-the-hash and pass-the-ticket?
Pass-the-hash (PtH) abuses NTLM authentication: an attacker captures the NTLM hash of a user's password and uses it directly to authenticate without knowing the plaintext password. Pass-the-ticket (PtT) abuses Kerberos authentication: an attacker steals a Kerberos ticket (TGT or service ticket) from memory and uses it to authenticate as the ticket's owner. PtH works against any service using NTLM authentication; PtT works against Kerberos-enabled services. Overpass-the-hash converts an NTLM hash into a Kerberos ticket, combining both techniques. Detection differs: PtH leaves Event ID 4624 Logon Type 3 NTLM events; PtT leaves Event ID 4768 and 4769 with unusual source IPs.
How do I prevent pass-the-hash attacks?
The primary mitigations are: enable Credential Guard on Windows 10 and 11 endpoints (prevents NTLM hashes from being stored in LSASS memory in a form attackers can extract); enforce Protected Users security group membership for privileged accounts (prevents NTLM authentication for group members, forcing Kerberos only); disable NTLM where possible using group policy (Network Security: Restrict NTLM); enforce Local Administrator Password Solution (LAPS or Windows LAPS) to ensure unique local admin passwords per machine so PtH from one machine cannot be reused on others.
What tools do attackers use for pass-the-hash?
Mimikatz is the most commonly cited tool: its sekurlsa::pth module performs pass-the-hash by spawning a new process with the stolen hash as authentication material. Impacket's wmiexec.py and psexec.py support PtH for remote execution. CrackMapExec is used for PtH at scale across a subnet. In detection rules, look for Mimikatz signatures in memory (EDR coverage), unusual parent-child process relationships where cmd.exe or PowerShell spawn with NTLM authentication from non-interactive sessions, and Impacket's characteristic SMB connection patterns.
How does Credential Guard prevent pass-the-hash attacks and what are its hardware and OS requirements?
Windows Defender Credential Guard isolates NTLM password hashes and Kerberos tickets inside a Hyper-V-protected container called the Virtual Secure Mode (VSM). The protected credentials never exist in normal OS memory, so even kernel-level code (including Mimikatz running as SYSTEM) cannot read them. The hash material is only accessible to the VSM component, which validates authentication requests without exposing the actual hash to the host OS. Hardware requirements: UEFI firmware with Secure Boot, virtualization extensions (Intel VT-x or AMD-V), IOMMU (Intel VT-d or AMD-Vi), TPM 2.0 (recommended, required on Windows 11 24H2 and later for automatic enablement). OS requirements: Windows 10 Enterprise or Education version 1607 and later, Windows 11, or Windows Server 2016 and later. Limitations: Credential Guard does not protect locally cached credentials for accounts that log on while the domain controller is unreachable, and it does not protect against credential theft via social engineering or phishing. Verify enablement: msinfo32.exe shows 'Virtualization-based security Services Running' including 'Credential Guard' when active. On Windows 11 24H2+, Credential Guard is enabled by default on qualifying hardware.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
