Pass the Hash Guidance

This project contains scripts designed to assist administrators in implementing Pass the Hash mitigations, as detailed in the paper titled 'Reducing the Effectiveness of Pass the Hash.'

The PtHTools module includes the primary commands designed to assist with the implementation of Pass-the-Hash (PtH) mitigations: - Find-PotentialPtHEvents - Invoke-DenyNetworkAccess - Edit-AllLocalAccountPasswords - Get-LocalAccountSummaryOnDomain - Invoke-SmartcardHashRefresh - Find-OldSmartcardHash For detailed instructions on how to use these commands, please refer to the PtHTools readme file. Guidance for Reducing the Effectiveness of Pass-the-Hash includes: - Managing Long-Lived Hashes for Active Directory Smartcard Required Accounts - Limiting Workstation-to-Workstation Communication For more information, refer to Microsoft's guidance here: https://aka.ms/pth - This link leads to Microsoft's general resource page on Pass-the-Hash. Additional resources include: - Mitigating Pass-the-Hash and Other Credential Theft v1 - Mitigating Pass-the-Hash and Other Credential Theft v2

Understanding How Pass-the-Hash Functions Local Administrator Password Solution - LAPS is a Microsoft-supported tool designed to ensure that local administrator accounts do not share the same password.

This serves as an alternative to the Edit-AllLocalAccountPasswords command found in PtHTools. krbtgt Refresh Script - This script resets the krbtgt account password two times to invalidate the hash.