Skip to navigation Skip to main content Skip to footer

Defending Your Directory: An Expert Guide to Mitigating Pass-the-Hash Attacks in Active Directory

By Rafael Alfaro March, Rodrigo Munoz

In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection.

Last time we stepped into the shadowy realm of LDAP-based attacks. In our latest instalment, we're cracking open the enigma of Pass-the-Hash attacks - where the currency of your network's trust becomes a counterfeiter's dream.

Definition:

This attack involves a threat actor stealing a hashed version of a user’s password and using it to authenticate as that user on the same network. Unlike other credential theft attacks, pass-the-hash does not require the actual password, bypassing the need for hash cracking. Instead, the stolen hash is directly used to establish a new authenticated session.

How the attack works:

Pass-the-hash attacks abuse a fundamental flaw in the way Windows authentication works. When a user logs in, their password is hashed. This means that a one-way mathematical function turns a user’s password into a string of text that cannot be reversed or decoded. The hash is stored in a secure location and is therefore used to verify subsequent login attempts.

The attack requires to follow these steps:

  1. Password Hash Acquisition: The threat actor obtains hashes, which can be done through several methods, such as:
    1. Dumping the Security Account Manager (SAM) database: This database stores hashed passwords for local users on a Windows system.
    2. Using Malware: Certain malware can steal hashed credentials from a compromised system.
    3. Exploiting vulnerabilities in services: Some services may expose hashed credentials.
  2. Hash Re-use: The attacker takes the stolen hash and uses it to impersonate the user. They create a new authentication token using the hash, which the system will accept after a verification against the stored hash, granting access to the system as the compromised user.

Why this attack is so dangerous:

This attack has three main components that represent a concern:

  1. Persistence: Even if the original password is changed, the stolen hash remains valid until it is removed from the system.
  2. Lateral movement: Once an attacker has compromised one account, they can use the stolen hash to re-use this credential to move laterally within a network, gaining access to other systems.
  3. Privilege escalation: The attacker can gain administrative access to the network if the compromised user has elevated privileges.

Detecting Pass-the-Hash attacks:

After a Pass-the-Hash attack has been executed, several Windows Security events can help identify the activity. Here are some key events to look for:

  1. Event ID 4624: This event indicates a successful logon. For pass-the-hash attacks, look for Logon Type 3 (network logon) with the Authentication Package set to NTLM.
  2. Event ID 4648: This event shows a successful logon attempt using explicit credentials. It can help identify when an attacker uses a hash instead of a password.
  3. Event ID 4672: This event logs special privileges assigned to a new logon, often seen when administrative accounts are used. Event ID
  4. 4768 and 4769: These events are related to Kerberos authentication tickets. While not directly tied to pass-the-hash, they can provide context for legitimate logons.

Detecting suspicious activities involves identifying behaviors that deviate from established patterns. By establishing a baseline of normal user behavior, security teams can more effectively highlight anomalous activities that may indicate malicious intent, such as pass-the-hash or other lateral movement attacks.

The following situations should raise red flags and trigger further investigation:

  1. Excessive host access: An account logging into a significantly larger number of hosts than usual may indicate unauthorized access or credential compromise. I.e. if a user typically accesses only a few servers but suddenly starts logging into dozens, it could be a sign of a malicious actor using stolen credentials.
  2. Unusual host access: An account accessing a host that it has never interacted with before could be a sign of unauthorised access or lateral movement. This might occur if an attacker compromises one system and then uses the stolen credentials to gain access to other systems on the network.
  3. Unexpected location access: An account being used from a location or device that it has never authenticated from before could indicate a potential compromise. For instance, if a user’s account is suddenly being used from a foreign country or an unusual device, it may be a sign of unauthorized access.
  4. NTLM authentication not preceded by a password authentication: Legitimate connections typically have an interactive logon before an NTLM connection, except the Service Accounts. If we find connections against hosts that are directly using NTLM (hashes authentications) this could indicate a pass-the-hash attack with stolen credentials.

We can analyze the Security Logs for pass-the-hash attacks, focusing on Event ID 4624 entries where the Logon Type 3 and Authentication Package is NTLM. While this activity might be legitimate in some cases, it’s essential to detect suspicious logons.

Identifying Suspicious Logons:

  1. Missing password logon: Search for Event ID 4624 where an NTLM authentication occurs without a preceding Event ID 4624 entry indicating a password-based logon using the same account. This suggests that the NTLM authentication might have been performed using stolen credentials.
  2. Correlating events: Use the Logon ID hexadecimal value, found in Event IDs 4624 and 4648, to correlate events associated with the same login session. This will provide a complete picture of the user’s activities, including interactive logons, service starts, and privilege changes.

Prioritizing High-Risk Connections:

  1. Privileged Accounts: Focus on NTLM connections involving privileged accounts, as compromising these accounts can have severe consequences.
  2. Unusual patterns: Look for unusual patterns, such as frequent NTLM connections from unexpected locations or devices.

This attack is mapped as T1003.002 on Mitre ATT&CK. Credential Access (T1003) OS Credential Dumping: Security Account Manager (002) https://attack.mitre.org/techniques/T1003/002/.

Event 4648 example:

Event 4672 example:

Preventing Pass-the-Hash attacks:

It is recommended to adopt a defense in depth approach to cope with the requirements of this attack:

  1. Regularly Update and Patch Systems: Ensure all systems and software are up to date with the latest security patches to mitigate vulnerabilities.
  2. Limit Administrative Privileges: Restrict the number of users with administrative privileges and use separate accounts for administrative tasks.
  3. Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring additional verification beyond just the password.
  4. Monitor: Use security information and event management (SIEM) tools to monitor and log user activities for suspicious behavior.
  5. Network Segmentation: Divide the network into segments to limit lateral movement by attackers.
  6. Disable NTLM Authentication: Use more secure protocols like Kerberos, which uses tickets for authentication instead of hashes.
  7. Educate Users: Train employees on recognizing phishing attempts and other social engineering tactics that could lead to credential theft.

Conclusion:

Pass-the-hash attacks are executed by threat actors to leverage their access after gaining an initial foothold in a network. This technique is typically used for lateral movement within systems, allowing attackers to steal information from targeted systems.

To mitigate these attacks, it is crucial to adopt a defense-in-depth strategy. Preventing the initial foothold is paramount, but protecting credentials is also important. Additionally, minimizing privileges to the least necessary can reduce the impact of a compromise.

However, since preventive measures can sometimes fail, it is vital to enhance detection and response capabilities to swiftly address such incidents.

Learn more about the following services to help you proactively prepare against Active Directory attacks:

Signup to our free Threat Intelligence for regular updates on the latest threat actors or contact NCC Group if you have any further queries.