Microsoft's plan to deprecate the NTLM authentication protocol doesn't eliminate the underlying security risk: the NT hash stored in Active Directory is also used by Kerberos, so it persists after migration. The SamrSetInformationUser RPC function allows setting a user's password hash directly in AD without submitting the actual password, bypassing all GPO complexity rules, custom password filters, and third-party policy tools. Only Password Reset permissions on the target account are required. A proof-of-concept PowerShell script demonstrates the attack, reducing a password to a single character '1' while all policies remain active. A defensive approach is also presented: hooking SamrSetInformationUser inside the LSASS process using EasyHook to intercept and block direct hash writes. The core lesson is that password policy enforcement must happen at the layer where hashes are actually written to the directory, not only where policies are defined.
Sort: