• QOMPLX Knowledge
  • Jul 8, 2021

QOMPLX Knowledge: Detecting Pass-the-Hash Attacks

QOMPLX Knowledge: Detecting Pass-the-Hash Attacks

This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Before cyber adversaries can compromise an IT environment, they need to gain a foothold on it. That means gaining control over an active account - often a low-privilege user. “Pass-the-Hash” attacks are a credential theft and re-use attack that is one of the most common methods of lateral movement within compromised IT environments. Adversaries exploit a known weakness in the NTLM protocol that enables attackers to capture password hashes stored in memory and re-use them to access other network resources, setting up Pass-the-Ticket and eventually Golden and Silver Ticket attacks that can give an attacker control over an entire network domain.

Key Points:

  • Pass-the-Hash (PtH) is a common post-exploitation attack. A threat actor must already have compromised a target system in an environment before they can conduct a Pass-the-Hash attack.
  • Pass-the-Hash (PtH) attacks can take place on local systems or in transit via man-in-the-middle attacks.
  • Eliminating the use of NTLM and implementing user “least privilege” policies that restrict the use of “super admin” accounts are proven to reduce the risk of PtH attacks.
  • QOMPLX Identity Assurance detects Pass-the-Hash attacks by monitoring target domains for successful logins using NTLM authentication methods and logon types.

How Pass-the-Hash Works:

Pass-the-Hash attacks are an example of a “use of alternate authentication material” (T1550). In a Pass-the-Hash attack, an attacker gains access to a compromised system within an Active Directory environment. Adversaries capture stored password hashes using one of a variety of methods and tools. The captured hashes are then used to authenticate as that user, taking advantage of a loophole in the NTLM protocol. Once authenticated, PtH may be used to perform actions on local or remote systems.

QOMPLX Detection: Pass-the-Hash

QOMPLX’s Identity Assurance solution detects possible Pass-the-Hash attacks by monitoring logs for successful logins that use the NTLM authentication methods coupled with certain logon types within the target domain to identify suspicious activity where the same credentials may be used by multiple sources.

Given their role in adversary lateral movement, Pass-the-Hash attacks should trigger an immediate response from your security operations center (SOC), computer incident response team (CIRT), or third-party service provider. Given the inherent weakness of the NTLM authentication protocol, using it is inherently insecure so we highly recommend enterprises discontinue the use of NTLM whenever feasible. As with other detections in the industry, this detection doesn’t perfectly correlate to PtH activity due to protocol limitations.

Among other things, organizations who detect a PtH attack need to determine how the attackers initially accessed the network, what accounts and IT assets they compromised, as well as what information the attackers accessed and exfiltrated.

Additional Reading:

QOMPLX Knowledge Series

QOMPLX Detections Reference

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.