Threat (Lateral Movement)

Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.

How Pass-the-Hash Works

The following is a summarization of how the attack works:

1. An attacker obtains the password hashes of one or more users on a computer network
   1. a. This is typically accomplished by extracting password hashes that exist in memory on a compromised machine or via more advanced attacks that have already taken place such as the successful compromise of Active Directory’s NTDS.dit file
2. Using Mimikatz (or similar tool) the attacker leverages the compromised user’s username and password hash to authenticate to other systems or resources that account has access to

Important Notes about Pass the Hash attacks:

• Successful execution of a Pass the Hash attack does not necessarily grant the attacker elevated or privileged access rights to network resources. The attack, while serious, only provides a way for the attacker to obtain the equivalent of a user’s password without having to actually know the plaintext password. Ultimately, the attacker only has as much access as the account they’ve compromised.
• That said, savvy attackers can effectively utilize lower profile accounts leveraging Pass the Hash to elude detection, making it much more difficult to spot signs of compromise.

Video Tutorial

Watch this brief video of a Pass the Hash attack in action:

Potential Solutions and Mitigating Controls for Pass-the-Hash Attacks

Successful execution of a Pass the Hash attack requires a number of prerequisites, including improper endpoint security configuration, administrative rights on the system the attack is being perpetrated from, and the existence of or access to password hashes stored in system memory.

Microsoft has introduced several new features within Windows in recent years to make it harder to execute Pass the Hash attacks. An effective approach is to implement logon restrictions for privileged account hashes so they are never stored where they can be extracted. Additionally, enabling LSA Protection, leveraging the Protected Users security group, and using Restricted Admin mode for Remote Desktop are some other ways in which you can mitigate and prevent Pass the Hash attacks.

In addition to proper upfront security, monitoring authentication and logon activity for abnormalities can expose attempts to leverage the aforementioned attack paths. Many times, these attacks follow patterns and result in accounts being used in ways that are not normal. Being alerted to this as it occurs can detect an attack before it is too late.

Addtional Resources

Pass the Hash Resources:

• https://blog.stealthbits.com/passing-the-hash-with-mimikatz

Related Attacks & Concepts:

• https://blog.stealthbits.com/extracting-password-hashes-from-the-ntds-dit-file/
• https://blog.stealthbits.com/active-directory-password-attacks-and-how-to-protect-against-them/

Solutions:

• https://www.stealthbits.com/stealthaudit-for-systems-product
• https://www.stealthbits.com/stealthintercept-product