As mentioned in the previous chapter, this is a tactic that hackers are using that takes advantage of how NTLM protocols work. Instead of brute-forcing their way into a system or using dictionary attacks, they are using password hashes. They are therefore not seeking plaintext passwords, they just use the password hashes when requested to authenticate themselves into remote machines. Therefore, attackers are looking for the password hashes in computers which they can in turn pass to services that require authentication.

Besides the examples that were given in Chapter 6, Chasing User's Identity you can also use the PowerShell utility Nishang to harvest all local account password hashes with the Get-PassHashes command.