This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
Before cyber adversaries can compromise an IT environment, they need to gain a foothold on it. That means gaining control over an active account - often a low-privilege user. “Pass-the-Hash” attacks are a credential theft and re-use attack that is one of the most common methods of lateral movement within compromised IT environments. Adversaries exploit a known weakness in the NTLM protocol that enables attackers to capture password hashes stored in memory and re-use them to access other network resources, setting up Pass-the-Ticket and eventually Golden and Silver Ticket attacks that can give an attacker control over an entire network domain.
- Pass-the-Hash (PtH) is a common post-exploitation attack. A threat actor must already have compromised a target system in an environment before they can conduct a Pass-the-Hash attack.
- Pass-the-Hash (PtH) attacks can take place on local systems or in transit via man-in-the-middle attacks.
- Eliminating the use of NTLM and implementing user “least privilege” policies that restrict the use of “super admin” accounts are proven to reduce the risk of PtH attacks.
- QOMPLX Identity Assurance detects Pass-the-Hash attacks by monitoring target domains for successful logins using NTLM authentication methods and logon types.
How Pass-the-Hash Works:
Pass-the-Hash attacks are an example of a “use of alternate authentication material” (T1550). In a Pass-the-Hash attack, an attacker gains access to a compromised system within an Active Directory environment. Adversaries capture stored password hashes using one of a variety of methods and tools. The captured hashes are then used to authenticate as that user, taking advantage of a loophole in the NTLM protocol. Once authenticated, PtH may be used to perform actions on local or remote systems.
QOMPLX Detection: Pass-the-Hash
QOMPLX’s Identity Assurance solution detects possible Pass-the-Hash attacks by monitoring logs for successful logins that use the NTLM authentication methods coupled with certain logon types within the target domain to identify suspicious activity where the same credentials may be used by multiple sources.
Given their role in adversary lateral movement, Pass-the-Hash attacks should trigger an immediate response from your security operations center (SOC), computer incident response team (CIRT), or third-party service provider. Given the inherent weakness of the NTLM authentication protocol, using it is inherently insecure so we highly recommend enterprises discontinue the use of NTLM whenever feasible. As with other detections in the industry, this detection doesn’t perfectly correlate to PtH activity due to protocol limitations.
Among other things, organizations who detect a PtH attack need to determine how the attackers initially accessed the network, what accounts and IT assets they compromised, as well as what information the attackers accessed and exfiltrated.