BCY-ADV-2026-009 TECHNIQUE

Pass-the-Hash via RDP — Authentication Abuse
MITRE T1550.002 · No Plaintext Password Required · Restricted Admin Mode Mitigation

MITRE T1550.002Pass-the-HashRDPNTLMLateral MovementWindows
Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026
What This Is
Pass-the-Hash (PtH) is an authentication abuse technique that uses captured NTLM hashes — obtained from LSASS dumping, LLMNR poisoning, or other credential harvesting — to authenticate as a user without knowing their plaintext password. Via RDP specifically, an attacker can open a full remote desktop session as any user whose hash they possess. This makes lateral movement trivially easy once any credential material is obtained.
Technique Details
MITRE ATT&CK: T1550.002 — Use Alternate Authentication Material: Pass the Hash
No CVE: Authentication design characteristic — not a software bug
Tools: xfreerdp (PtH mode), Impacket wmiexec, CrackMapExec, Metasploit
Mitigation: Restricted Admin mode for RDP eliminates this vector over RDP
How It Works
Windows NTLM authentication uses a challenge-response mechanism that does not require the plaintext password — only the hash. An attacker with a user's NTLM hash can inject it directly into the Windows authentication process and authenticate as that user. Over RDP, this traditionally allowed full remote desktop sessions using only a hash. Restricted Admin mode changes RDP authentication so the user's credentials are not forwarded to the remote machine, blocking the PtH vector via RDP specifically.
Detection
Verify Restricted Admin mode is enforced (PowerShell):
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" ` -Name DisableRestrictedAdmin -ErrorAction SilentlyContinue
# Safe result (0 = Restricted Admin ENABLED): DisableRestrictedAdmin : 0
Event log — detect PtH attempts:
# Event ID 4624 with Logon Type 3 + NtLmSsp auth package = PtH indicator # Event ID 4625 failed logon — watch for repeated failures across accounts Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624} | Where-Object {$_.Message -match "NtLmSsp" -and $_.Message -match "Logon Type:\s+3"} | Select-Object TimeCreated, Message | Format-List
IOCs
Auth Package NtLmSsp in Security Event Log — network logon with hash Event ID 4624 Logon Type 3 (Network) with NtLmSsp auth — PtH indicator Event ID 4648 Explicit credential logon — hash injected via tool Tool xfreerdp /pth, crackmapexec --hash, Mimikatz sekurlsa::pth RDP Source Unexpected RDP sessions from non-standard source IPs Logon Hours RDP sessions outside normal business hours
Mitigation — PowerShell Commands

Step 1 — Enable Restricted Admin mode for RDP (blocks PtH via RDP):

reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

Step 2 — Scope RDP to VPN only (eliminates internet-facing RDP entirely):

# Disable RDP on public interface reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f # Re-enable scoped to VPN subnet only (replace with your VPN subnet) netsh advfirewall firewall set rule name="Remote Desktop - User Mode (TCP-In)" new remoteip=100.0.0.0/8

Step 3 — Enable LSASS PPL (prevents hash extraction in first place — see BCY-ADV-2026-008):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

Verify Restricted Admin is enabled:

Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin # Expected: DisableRestrictedAdmin : 0

Sources
MITRE ATT&CK — T1550.002 Pass the Hash
Microsoft — Restricted Admin Mode for RDP
BCY-ADV-2026-009 · Published May 2026 · Barr Cyber LLC · Kalispell, MT
Questions? warren@barr-cyber.com
Barr Cyber — Endpoint Hardening & System Configuration

Restricted Admin mode for RDP is applied in every Barr Cyber endpoint hardening engagement. Combined with VPN-scoped RDP access, Pass-the-Hash via RDP is eliminated as an attack vector.

Get in Touch →
← LSASS Credential Dumping All Advisories Next — PowerShell LOTL →