Incident Response: Why You Need to Detect More than Pass the Hash Technical Paper
Practitioners need to educate users, reduce the use of administrative privileges in an organization, actively avoid RDP, and do as much as possible to eliminate NTLM authentications. In spite of the progress Microsoft has made in recent years to mitigate known attacks like Pass-the-Hash (PtH), especially in Windows 8.1, this threat has not been eliminated.
This is a defensive guide providing a series of steps necessary to make detection achievable for the incident response team. It is wholly intended to highlight where to look and what to look for so that compromised credentials can be detected.