Pass-the-hash is a technique by which the attacker gets hold of the NTLM or LanMan hash of a user's password instead of the plain text password and authenticate with it. This technique, highly prevalent on Windows systems, is one of the successful lateral movement techniques.
However, if user's password has been changed, then the stolen hash cannot be used. Hence best security practices insist upon changing passwords once in every 45 or 60 days.
In Windows, the password hashes are stored in Security Accounts Manager (SAM), Local Security Authority Subsystem (LSASS) process memory and a Ntds.dit database in the Active Directory. Attackers steal the hashes from any of these places using below techniques:
Some of the hash-dumping tools that are frequently used include mimikatz, iam.exe, genhash.exe and more. pwdump.exe is a windows program that can be exploited to obtain the password hashes .
Step 1: Attackers get into the network through a phishing campaign. Upon getting hold of a system, malicious tools stated above is installed to harvest the password hashes from the local systems.
Step 2: Lateral movement - Using the harvested user account and password hashes, the attackers authenticate to other systems and resources to which the account has access .
Pass-the-hash attacks are more damaging when the compromised user account has been enabled with Single-Sign-On (SSO) option for many business apps.
Pass the Hash attacks can be detected by analyzing your logs and detect logon anomalies.
To detect Pass the Hash attack in your network, you should configure your security tool to detect the below criteria:
Event ID: 4624 An account was successfully logged on
Logon type : 9
Authentication package : Negotiate
Logon process: seclogo
Sysmon event ID: 10
Event ID: 4768 A Kerberos authentication ticket (TGT) was requested
Event ID: 4769 A Kerberos service ticket was requested
ManageEngine Log360, a comprehensive SIEM solution can help you detect these attacks with its powerful correlation engine, real-time event response system, and log forensic analysis capabilities. The solution quickly detects the indicators of compromise associated with the pass-the-hash attack. It further enriches the detection by correlating other relevant events and thereby accurately alerts you when this attack occurs. And that's not all. Log360 comes bundled with threat intelligence platform, user and entity behavior analytics, and a lot more.Explore the solution now
Zoho Corporation Pvt. Ltd. All rights reserved.