NTLM Is Dead. Your Password Hash Isn’t: Abusing SamrSetInformationUser in Active Directory Last week Microsoft published a three-phase plan to kill the NTLM authentication protocol. My LinkedIn …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

Microsoft's plan to deprecate the NTLM authentication protocol doesn't eliminate the underlying security risk: the NT hash stored in Active Directory is also used by Kerberos, so it persists after migration. The SamrSetInformationUser RPC function allows setting a user's password hash directly in AD without submitting the actual password, bypassing all GPO complexity rules, custom password filters, and third-party policy tools. Only Password Reset permissions on the target account are required. A proof-of-concept PowerShell script demonstrates the attack, reducing a password to a single character '1' while all policies remain active. A defensive approach is also presented: hooking SamrSetInformationUser inside the LSASS process using EasyHook to intercept and block direct hash writes. The core lesson is that password policy enforcement must happen at the layer where hashes are actually written to the directory, not only where policies are defined.