- Home
- Lateral movement: Pass the hash attack
Pass-the-hash is a technique by which the attacker gets hold of the NTLM or LanMan hash of a user's password instead of the plain text password and authenticate with it. This technique, highly prevalent on Windows systems, is one of the successful lateral movement techniques.
However, if user's password has been changed, then the stolen hash cannot be used. Hence best security practices insist upon changing passwords once in every 45 or 60 days.
How does pass-the-hash attack happen?
In Windows, the password hashes are stored in Security Accounts Manager (SAM), Local Security Authority Subsystem (LSASS) process memory and a Ntds.dit database in the Active Directory. Attackers steal the hashes from any of these places using below techniques:
- With physical access to the system, they can boot the system drive into a different OS and copy SAM file
- Harvest password hashes by running hash-dumping tools through by establishing remote connection
- Sniff out password hashes using malicious programs as they traverse the newtork during authentication process
Some of the hash-dumping tools that are frequently used include mimikatz, iam.exe, genhash.exe and more. pwdump.exe is a windows program that can be exploited to obtain the password hashes .
How Pass the Hash attack works?
Step 1: Attackers get into the network through a phishing campaign. Upon getting hold of a system, malicious tools stated above is installed to harvest the password hashes from the local systems.
Step 2: Lateral movement - Using the harvested user account and password hashes, the attackers authenticate to other systems and resources to which the account has access .
Pass-the-hash attacks are more damaging when the compromised user account has been enabled with Single-Sign-On (SSO) option for many business apps.
How can you detect Pass the Hash attack:
Pass the Hash attacks can be detected by analyzing your logs and detect logon anomalies.
To detect Pass the Hash attack in your network, you should configure your security tool to detect the below criteria:
Source Host
Event ID: 4624 An account was successfully logged on
Logon type : 9
Authentication package : Negotiate
Logon process: seclogo
Sysmon event ID: 10
Target Host
Event ID: 4768 A Kerberos authentication ticket (TGT) was requested
Event ID: 4769 A Kerberos service ticket was requested
How to minimize the impact of Pass the Hash attack?
- When you've enabled SSO, make sure that you also implement multi factor authentication to safeguard the day. By this way, even if the credential is compromised, the attacker will be unable to access the data.
- Implement principle of least privilege (POLP) by creating separate Domain admin and standard accounts for day-to-day work.
- Enforce password changes frequently.
ManageEngine Log360, a comprehensive SIEM solution can help you detect these attacks with its powerful correlation engine, real-time event response system, and log forensic analysis capabilities. The solution quickly detects the indicators of compromise associated with the pass-the-hash attack. It further enriches the detection by correlating other relevant events and thereby accurately alerts you when this attack occurs. And that's not all. Log360 comes bundled with threat intelligence platform, user and entity behavior analytics, and a lot more.Explore the solution now
What is a pass-the-hash attack?
Pass the hash is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session.
What is a password hash?
A password hash is a one-way mathematical function that turns a user’s password into a string of text that cannot be reversed or decoded to reveal the actual password. Put simply, the passwords aren’t stored as text or characters, but nondescript hash symbols.
Why are pass the hash attacks a growing concern?
As more and more organizations leverage single sign-on (SSO) technology to enable a remote workforce and reduce friction within the user experience, attackers have come to recognize the inherent vulnerability of stored passwords and user credentials.
Identity-based attacks, such as pass the hash attacks, where adversaries pose as legitimate users are particularly difficult to detect because most traditional cybersecurity solutions cannot differentiate between a real user and an attacker masquerading as one.
Protecting against pass the hash attacks is critical because this technique often serves as a gateway to other, more serious security issues, such as data breaches, identity theft, and malware or ransomware attacks.
2022 CrowdStrike Global Threat Report
Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.
Download Now
Understanding Pass the Hash Attacks
Understanding the mechanics of a pass the hash attack first requires a basic awareness of how the company’s identity and access management (IAM) system works. IAM is a framework that allows an organization’s IT team to authenticate users and control access to systems, networks and assets based on each user’s identity.
Companies can store users’ passwords within the IAM system in one of three ways:
- As plain text, which is considered highly insecure and not recommended
- Using encryption, which provides more protection, but is reversible through decryption or with the decryption key
- As a hash function, which, as noted above, cannot be decoded to reveal the password
When an authorized user logs in to a company’s system, it runs the hash function created when the user initially set up their login credentials. The system authenticates the user because the hash value being entered by the user matches the one stored in the system.
How does a pass the hash attack work?
In a pass the hash attack, the attacker typically gains access to the network through a social engineering technique such as phishing, which is when a cybercriminal preys on another person’s emotions, such as fear, empathy or greed, to convince them to share personal information or to download a malicious file.
Once the attacker gains access to the user’s account, they use various tools and techniques that scrape the active memory to derive data that will lead them to the hashes.
Armed with one or more valid password hashes, the attacker gains full system access, enabling lateral movement across the network. As the attacker impersonates the user from one application to the next, they often engage in hash harvesting — accumulating additional hashes throughout the system which can be used to access more areas of the network, add account privileges, target a privileged account, and set up backdoors and other gateways to enable future access.
Who is vulnerable to pass the hash attacks?
Windows server clients, and organizations that use Windows New Technology LAN Manager (NTLM), in particular, are among the most vulnerable to pass the hash attacks.
NTLM is a suite of Microsoft security protocols that authenticate users’ identity and protect the integrity and confidentiality of their activity. Essentially, NTLM is an SSO tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password, a process known as NTLM authentication.
NTLM was subject to several known security vulnerabilities related to password hashing and salting. In NTLM, passwords stored on the server and domain controller are not “salted” — meaning that a random string of characters is not added to the hashed password to further protect it from cracking techniques. This means that adversaries who possess a password hash do not need the underlying password to authenticate a session.
NTLM’s cryptography also fails to take advantage of new advances in algorithms and encryption that significantly enhance security capabilities.
While NTLM was replaced as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains by Kerberos, it is still maintained in all Windows systems for compatibility purposes between older clients and servers. For example, computers still running Windows 95, Windows 98 or Windows NT 4.0 will use the NTLM protocol for network authentication with a Windows 2000 domain. Meanwhile, computers running Windows 2000 will use NTLM when authenticating servers with Windows NT 4.0 or earlier, as well as when accessing resources in Windows 2000 or earlier domains. NTLM is also used to authenticate local logons with non-domain controllers.
Spotlight on a Recent Pass-the-Hash Attack
In April 2022, a ransomware-as-a-service (RaaS) platform called Hive leveraged a pass-the-hash technique to advance a coordinated attack that targeted a large number of Microsoft’s Exchange Server customers, including those in the energy, financial services, nonprofit and healthcare sectors.
The attack took advantage of a particular Microsoft Exchange Server vulnerability known as ProxyShell. Though this vulnerability was quickly patched by Microsoft, many businesses had not updated their software and were left exposed.
The attackers leveraged the ProxyShell vulnerability to plant a backdoor web script which was used to run malicious code on the Exchange server. Attackers then took control of the system via the pass-the-hash technique, using Mimikatz to steal the NTLM hash. Hive then performed reconnaissance on the server, collected data and deployed the ransomware payload.
Pass the Hash Mitigation
To prevent pass the hash attacks at the enterprise level, organizations must understand that traditional security best practices, such as setting strong password requirements and monitoring for multiple login attempts, will be of limited help for this particular attack method. Fortunately there are several other effective steps companies can take to prevent pass the hash attacks and limit their impact:
1. Enable multifactor authentication (MFA).
Organizations that implement multifactor authentication (MFA) are far more protected from pass the hash attacks since attackers generally only have the user hash at their disposal — the likes of which are virtually meaningless without a secondary form of authentication. MFA may include a combination of traditional account credentials, security token via text message, authenticator tool, or biometric verification to verify the user’s identity before granting access to the requested service.
2. Limit network access and account privileges.
For organizations that do not implement MFA, a compromised hash can be the gateway to a larger breach. For that reason, organizations should also take steps to limit network access to contain the hacker’s movement and limit damage. Some techniques include:
- Principle of least privilege (POLP): Principle of least privilege (POLP) is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job. It ensures only authorized users whose identity has been verified have the necessary permissions to execute jobs within certain systems, applications, data and other assets. It is widely considered to be one of the most effective practices for strengthening the organization’s cybersecurity posture, because it allows organizations to control and monitor network and data access.
- Zero Trust: Zero Trust is a security framework requiring authentication, authorization and continuous validation of all users (whether in or outside the organization’s network) before receiving access to applications and data. It combines advanced technologies such as risk-based MFA, identity protection, next-generation endpoint security and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email and verifying the hygiene of assets and endpoints before they connect to applications.
- Privileged access management (PAM): Privileged access management (PAM) is a cybersecurity strategy that focuses on maintaining the security or an administer account privileged credentials.
- Identity segmentation: Identity segmentation is a method to restrict user access to applications or resources based on identities.
3. Implement IT hygiene.
An IT hygiene tool such as CrowdStrike Falcon® Discover™ provides visibility into the use of credentials across the organization to detect potentially malicious admin activity. The account monitoring feature allows security teams to check for the presence of privileged accounts created by attackers to maintain access. It will also help ensure that passwords are changed regularly, so stolen credentials can’t be used forever.
4. Conduct penetration testing.
Penetration testing, sometimes referred to as pen testing or ethical hacking, is another important step organizations can take to protect themselves from identity-based attacks like pass the hash. Pen testing simulates a variety of real-world cyberattacks in order to test an organization’s cybersecurity capabilities and expose vulnerabilities. The test includes system identification, enumeration, vulnerability discovery, exploitation, privilege escalation, lateral movement and objectives.
5. Implement a cloud infrastructure entitlement management (CIEM).
As today’s enterprises transition more of their systems and business processes to the cloud, the challenge of defining permissions and monitoring access grows increasingly complex. A cloud infrastructure entitlement management (CIEM) is an identity-centric SaaS solution that can help enterprises manage entitlements across all of their cloud infrastructure resources. The primary goal of this tool is to mitigate the risk that comes from the unintentional and unchecked granting of excessive permissions to cloud resources.
6. Embrace proactive threat hunting.
True proactive threat hunting, such as CrowdStrike Falcon® OverWatch™, enables 24/7 hunting for unknown and stealthy attacks that utilize stolen credentials and are conducted under the guise of legitimate users. These are the types of attacks that standard measures can miss. Employing the expertise gained from daily “hand-to-hand combat” with sophisticated advanced persistent threat (APT) actors, the OverWatch team finds and tracks millions of subtle hunting leads daily to validate if they are legitimate or malicious, alerting customers when necessary.