Attack Technique 1: Pass the Hash: Use of Alternate Authentication Material (T1550)

Pass-the-Hash (PtH) Attacks: A Comprehensive Overview and Mitigation Strategies

Pass-the-Hash (PtH) is a sophisticated attack technique categorized under the Use Alternate Authentication Material (T1550) framework in the MITRE ATT&CK database. This method allows adversaries to bypass traditional access controls by leveraging stolen password hashes, facilitating unauthorized lateral movement within a network without the need for plaintext passwords.

Understanding Pass-the-Hash Attacks

A PtH attack typically unfolds in several phases:

  1. Initial Access: Attackers gain entry into the target network through methods such as phishing, exploiting vulnerabilities, or other social engineering tactics.

  2. Credential Theft: Once inside the network, attackers target the Windows Local Security Authority Subsystem Service (LSASS) to extract hashed user credentials. This step often involves:

    • Memory scraping using tools like Mimikatz.

    • Extracting credentials from the Security Account Manager (SAM) database.

  3. Session Creation: The stolen NTLM hash is then used to authenticate to other systems within the network, effectively creating a new session without the need for the plaintext password.

Technical Mechanism of NTLM

At the core of the PtH technique lies the New Technology LAN Manager (NTLM) protocol, which employs a challenge-response mechanism for user authentication. Unlike modern hashing mechanisms, NTLM does not utilize salting—a technique that adds random data to passwords before hashing, thereby making pre-computed attacks (e.g., rainbow tables) ineffective.

Once an NTLM hash is extracted, it can be presented to any system that accepts the compromised user’s credentials. This enables:

  • Lateral movement across the network.

  • Privilege escalation to gain access to sensitive systems.

Security Implications

PtH attacks are particularly concerning because they exploit a design limitation within the NTLM protocol, prioritizing compatibility and convenience over security. Key risks include:

  • Rapid lateral movement within the network.

  • Escalation of privileges, potentially leading to a full compromise of critical systems.

  • Data exfiltration or ransomware deployment, causing significant operational and financial damage.

Tools and Techniques for Pass-the-Hash Attacks

1. Mimikatz

Mimikatz is a powerful post-exploitation tool used for credential theft, including PtH attacks. Its key capabilities include:

  • Extracting password hashes from LSASS memory.

  • Authenticating to other systems using stolen NTLM hashes.

Execution Steps Using Mimikatz:

  • Stealing Password Hashes:

    privilege::debug
sekurlsa::logonpasswords

    This command extracts logon session data, including NTLM hashes.

  • Authenticating with Stolen Hashes:

    sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<ntlm_hash>

2. PowerShell (Invoke-WMIExec)

PowerShell provides native tools for remote execution and authentication. The Invoke-WMIExec cmdlet allows attackers to execute commands on remote machines using NTLM hashes.

Example Command:

Invoke-WmiExec -target <IP> -hash <NTLM_hash> -username <user> -command <command>

3. evil-winrm

Evil-winrm leverages the Windows Remote Management (WinRM) protocol for remote access using NTLM hashes.

Example Usage:

evil-winrm -u <username> -H <NTLM_hash> -i <target_IP>

Detection Techniques

Detecting PtH attacks requires vigilant monitoring of system events and logs. Key Windows Event IDs include:

  • Event ID 4624: Logs successful logons.

  • Event ID 4688: Tracks process creation.

  • Event ID 10: Indicates process access attempts.

  • Event ID 4672: Logs special privilege assignments.

By correlating these events, security teams can identify unusual activities indicative of PtH attacks.

Mitigation Strategies

To defend against PtH attacks, organizations should adopt the following practices:

  1. Enable Credential Guard: Credential Guard isolates credentials using virtualization-based security, preventing unauthorized access to LSASS.

  2. Enforce Strong Authentication:

    • Transition to Kerberos, which does not rely on hash-based authentication.

    • Implement Multi-Factor Authentication (MFA) for an additional layer of security.

  3. Restrict Privileges: Apply the Principle of Least Privilege to limit user permissions.

  4. Implement LAPS (Local Administrator Password Solution): This ensures unique and regularly rotated local admin passwords.

  5. Limit Network Authentication: Block local accounts from authenticating over the network using group policies.

  6. Monitor and Audit Logs: Continuously monitor logs for suspicious activities such as unusual logons or process executions.

Conclusion

Pass-the-Hash attacks exploit a fundamental weakness in NTLM-based authentication, allowing adversaries to bypass traditional security controls and move laterally within a network. By understanding the mechanics of PtH and leveraging tools such as Mimikatz, PowerShell, and evil-winrm, attackers can achieve significant control over target environments.

To combat this threat, organizations must adopt a multi-faceted defense strategy that includes:

  • Strong authentication protocols.

  • Least privilege principles.

  • Advanced monitoring and detection mechanisms.

By implementing robust security measures, organizations can significantly reduce the risk of PtH attacks and protect their critical assets. For additional resources, refer to frameworks such as CIS Controls and MITRE ATT&CK.

PreviousActive DirectoryNextAttack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)

Last updated