This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving the malicious campaigns that QOMPLX front line staff encounters in our work with customers.
Compromises of Active Directory are a common element of sophisticated cyber attacks. That includes those that involve the deployment of ransomware and data theft. OverPass the Hash is a common method doing this, and a slight evolution of “pass the hash” (PtH) attacks which are a building block for many sophisticated attacks. In this QOMPLX Knowledge post, we review OverPass The Hash attacks and talk about how organizations can detect this common form of credential reuse attack within your environment.
- OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.
- OverPass The Hash attacks take advantage of a security limitation in the NTLM protocol that enables attackers to capture password hashes stored in memory and re-use them to access other network resources. In essence: attackers use stored password hashes in lieu of an alphanumeric password the hash was generated from.
- In OPtH attacks, attackers use a stolen hash (NTLM, AES, etc.) for a valid user- or service account to authenticate to the Kerberos Domain Controller (KDC) on behalf of that compromised user and receive a valid Kerberos ticket that gives them access to a wide range of target devices or services within the compromised environment.
- QOMPLX’s Identity Assurance product can monitor OverPass the Hash attacks and detect successful logins associated with Overpass-the-Hash attacks launched using Mimikatz, a common tool used for privilege escalation and attacks on Active Directory and Kerberos.
How OverPass the Hash Attacks Work
As its name suggests, OverPass the Hash attacks are a modification- and extension of Pass the Hash (PtH) attacks. Both exploit weaknesses in the NTLM (NT Lan Manager) protocol, a core networking component of older Windows systems and environments that has been a known security risk for decades.
OverPass the Hash (PtH) is a post-exploitation attack. A threat actor must already have compromised a target system in an environment. That initial system compromise may follow a phishing email campaign that harvested sensitive credentials or exploitation of a vulnerable public-facing IT asset.
In order to launch an OverPass the Hash (PtH) attack, adversaries must have first obtained a hash of a valid NTLM or AES hash from LSASS memory on a compromised client system or the domain controller. Whereas that hash is used to authenticate in Pass the Hash attacks, in OverPass the Hash attacks, it is used to submit a signed request to the Kerberos Domain Controller (KDC) for a full Kerberos TGT (Ticket Granting Ticket) or service ticket on behalf of that compromised user. That ticket can provide access to a wide range of services and assets.
QOMPLX detects OverPass the Hash attacks by monitoring for successful logons to network resources with Windows logon type 9 (NewCredentials). Logon type 9 is a common byproduct of sekurlsa::pth, an omnibus module of the Mimikatz application that is used to extract passwords, keys, pin codes and tickets from the LSASS memory of compromised devices.
Beyond that, User and Entity Behavior Analytics (UEBA) tools running on networked endpoints can spot suspicious or malicious activity associated with OverPass the Hash attacks including the installation or use of tools like Mimikatz, Empire and Night Dragon or suspicious processes touching LSASS.
Broadly, organizations concerned about OPtH should be on the lookout for Pass the Hash attacks, which precede them. Watch for unauthorized access or unusual remote logins that correlate with suspicious or malicious network activity like the execution of suspicious, malicious or unknown binaries may point to compromised credentials. MITRE notes that NTLM LogonType 3 authentications that are not anonymous or associated with a domain login are often indicative of credential theft.
Regardless, an OverPass the Hash (OPtH) attack is a serious breach of security. If one is detected or even suspected, it should trigger an immediate response from your security operations center (SOC), computer incident response team (CIRT), or third-party service provider.