Uncovering pass-the-hash attacks

In pass-the-hash attacks, the New Technology Local Area Network Manager (NTLM) hashes of passwords are abused to compromise privileged accounts to launch attacks.

Pass-the-hash attacks are difficult to find as they look like legitimate events. An adversary can steal the password hash and pretend to be a legitimate user accessing a critical resource, leaving little or no trace for the defense system to detect the attack. However, it's possible to detect and stop this attack technique.

In this article, we'll decipher how pass-the-hash attacks are carried out in networks and how you can mitigate them.

Pass-the-hash attack execution pipeline

Here are the typical steps an attacker follows to infiltrate your network:

• The first step in executing a pass-the-hash attack is to compromise a privileged system. One way adversaries invade your network and gain access to a system is using phishing emails. Once attackers compromise and infect an endpoint, they laterally move across the network to access a privileged system, such as the domain controller where all the password hashes are stored.

  This process could take several days to weeks, during which the attackers stealthily lurk in your environment identifying vulnerabilities and locations of critical resources.

• The second step is to steal the password hash. Depending on the machine they compromise, the password hash of a normal or privileged user account can be jeopardized. This can be accomplished by obtaining hashes on a local security authority subsystem service (LSASS) and leveraging the Local Security Authority (LSA) Secrets folder. For instance, if the domain controller is compromised, the attackers can access the LSASS.exe folder and the Policy folder of the LSA Secrets registry to obtain the NTLM password hashes of all the user accounts.
• The third step is to dump the password hashes using malicious software, such as Mimikatz and Cobalt Strike which are helpful for penetration testing.
• The fourth step is to utilize the account login information, such as the user names and password hashes of user accounts, to gain access to user accounts by impersonating legitimate users.

Here's how the attackers exploit the NTLM challenge-response authentication mechanism with stolen password hashes:

• The attacker raises a connection request to a critical server from a compromised user account.
• The server responds to the attacker with an authentication challenge.
• The attacker responds to the challenge with the stolen NTLM password hash of the user account. (Note that the attacker doesn't have the plaintext password of the user account, but has the password hash.)
• The server validates the access attempt based on the password hash given by the attacker.

This way, the attacker can access any critical file or resource using the password hashes of the user accounts. Since these malicious logins and access attempts appear legitimate, it is tricky to distinguish between authorized and unauthorized access attempts, especially with the traditional signature-based attack detection techniques. However, there are a few tools and techniques to help you evade pass-the-hash attacks during their initial stages and safeguard your network.

Tools and tips you need to detect and mitigate pass-the-hash attacks

Detecting the Indicators of Compromise (IoCs) in pass-the-hash attacks

• Privilege escalation

  Privilege escalation attempts during pass-the-hash attacks take place using the DCSync command that impersonates a domain controller and requests access to user accounts. This is often followed by abnormal behavior from compromised user accounts.

  1. Execution of a new process by a user account
  2. Anomalous behavior of privileged user accounts
• Mimikatz installation

  Installing Mimikatz is a clear indication of an attack and current antivirus software is equipped to detect this.

  1. Installation of malicious software detected by antivirus software
• Logon using password hash

  A clear giveaway of the pass-the-hash attack is suspicious logons using password hashes instead of clear text passwords.

  1. Password hash access (Event ID 4782)

You need to monitor your firewalls, endpoint devices, and user account logon patterns to detect pass-the-hash attacks.

Using a SIEM solution to mitigate pass-the-hash attacks

Deploying individual monitoring tools for detecting attacks doesn't help much as you have to juggle multiple consoles to detect anomalies and obtain actionable insights.

A security information and event management (SIEM) solution helps you monitor all your network activities from a single console and provides you with all the required resources to detect and mitigate attacks.

SIEM incorporates the capabilities of intuitive analytics, real-time alerts, file integrity monitoring, automated incident response, and user and entity behavior analytics (UEBA) to help you contain and mitigate pass-the-hash attacks in your network and prevent any real damage. The pre-defined alerts will notify you of all the IoCs of pass-the-hash attacks.

The UEBA module can help you identify deviant user behavior, which assists with detecting IoCs of privilege escalations and object access attempts.

To see a SIEM solution in action, download the 30-day free trial of Log360, a ManageEngine SIEM solution, and receive a hands-on experience in detecting attacks.

Not ready to download the solution yet? Sign up for a free personalized demo for our product expert to walk you through Log360's capabilities.