The basic manner in which NTLM works is that the user encrypts a server-issued challenge with their password hash to establish a connection. An attacker able to use the challenge in a parallel session with the server needs to forward “the same encrypted hash to create a successful NTLM authentication” and use this to open a session (such as SMB) and infect the target system with malware.

Read full news article on SecurityWeek