Pass-the-Hash
Once an adversary has gained a foothold in the network, their tactics shift to compromising additional systems and obtaining the privileges they need to complete their mission. Pass-the-hash is a credential theft and lateral movement technique in which an attacker can abuse the challenge-and-response nature of the NTLM authentication protocol to authenticate as a user with only the NTLM hash of the user’s password. The attacker is thus able to use the compromised account without ever obtaining or brute-forcing the plaintext password. Password hashes normally only change when the password itself is changed, granting the adversary significant time to abuse the compromised user(s).
Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. TGS tickets enable an adversary to access a specific resource described in the ticket, and can be stolen without administrative privileges. TGT’s are more valuable as they are used to request TGS tickets, but require the threat actor to have gained administrative privileges on the computer from which it can be stolen.
Threat Summary
Target:
LM and NTLM-enabled Windows endpoints
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detect:
Hard
Mitigate:
Hard
Respond:
Medium
How Pass-the-Hash Works
Hover to see each step
Detect, Mitigate, and Respond
Difficulty: Hard
Because pass-the-hash abuses features of the NTLM protocol it cannot be entirely eliminated. However, there are solutions that can make it harder for adversaries to compromise hashes or restrict their ability to use those hashes to move laterally.
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
- Remove users’ administrator privileges from their workstations, limiting an adversaries ability to execute malware and removing the privileges needed to extract hashes from
LSASS.exe
. - Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces a credential’s value to an adversary seeking to use it for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that a compromised credential can be used by an adversary to escalate privileges.
- Randomize and store local administrator passwords using a solution like Microsoft’s Local Administrator Password Solution (LAPS). This reduces an adversary’s ability to move laterally with local accounts that share the same password.
- Do not permit local accounts to authenticate over the network. This reduces an adversary’s ability to move laterally with local accounts that share the same password. Two new well-known SIDS were added in Windows 8.1 and Windows 2012R2 and can be used in group policies for this purpose. The SID
S-1-5-113
will apply to any local account, while the SIDS-1-5-114
will apply to any local account that is also a member of the local Administrators group. - Add privileged domain accounts to the Protected Users group to reduce credential theft risks.
- Configure a host-based firewall (like Windows Defender Firewall) to control and limit which hosts can communicate with which other. For example, in most environments, workstations have little need to communicate directly with other workstations. Using a host-based firewall to block this traffic can limit lateral movement.
Difficulty: Hard
While pass-the-ticket cannot be entirely eliminated, the best mitigations focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
- Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.
Difficulty: Medium
Should a suspected pass-the-hash be detected, there are several actions one can take to immediately respond:
- Activate the incident response process and alert the response team.
- Reset the password for the compromised user, which causes the stolen password hash to become invalid.
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities. Analyze logging to determine whether this computer is patient zero or whether the attacker pivoted to this machine from elsewhere, and whether the attacker pivoted from this machine to another.