Pass the Hash

How to detect and mitigate Pass the Hash

Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits' Pass the Hash Solution

STEALTHbits’ products provide a multitude of ways to detect and mitigate the Pass the Hash attack.

Detect Pass the Hash Attack

Detection of pass the hash attacks is challenging. While the attacker is bypassing the password validation step of the authentication process by using stolen NTLM hashes, the actual network authentication that is performed is valid.

APPROACH #1

Honey Tokens

DESCRIPTION

Leverage Honey Tokens to inject fake credentials into LSASS memory on target machines and monitor for the usage of those credentials. If you see these credentials in use, it is conclusive that they were retrieved from memory on one of the honeypot machines and used for lateral movement.

PRODUCT: StealthDEFEND

APPROACH #2

Abnormal Behavior

DESCRIPTION

By baselining normal user behavior and looking for anomalous usage of accounts it is possible to detect pass-the-hash and other lateral movement attacks. Typical behavior to look for includes:

  • Account being used from host(s) it has never authenticated from before
  • Account being used to access host(s) it has never before accessed
  • Accessing a large number of hosts across the network that contradicts normal access patterns

PRODUCT: StealthDEFEND

DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

Download

Mitigate Pass the Hash Attack

There are several things that can be done to mitigate against Pass-the-Hash. At a high level, you want to accomplish two things:

1. Prevent the password artifacts (E.g. NTLM hashes) of privileged accounts from being stored on unprivileged systems (e.g. Domain Admin shouldn’t log onto a workstation)

2. Restrict users from obtaining administrative privileges on their workstations where, if compromised, their accounts can be used to retrieve password artifacts from disk/memory

APPROACH #1

Reduce Administrator Rights

DESCRIPTION

One of the most impactful ways to reduce the risk of privileged access is to minimize the administrative rights on servers and desktops. Users should not log into their workstations with administrative rights.

  • Report on what users have administrative rights on workstations through direct and nested membership in the Administrators group
  • Perform regular reviews of Administrator group membership within the Access Information Center and remove unnecessary members
  • Report on Administrative equivalent rights on desktops and workstations through user rights such as Act as Part of the Operating System (SeTcbPrivilege)

PRODUCT: StealthAUDIT

APPROACH #2

PowerShell Monitoring

DESCRIPTION

PowerShell is a popular technique for performing credential extraction and pass-the-hash. Monitoring for suspicious PowerShell commands can detect pass-the-hash and the use of credential extraction tools such as Mimikatz.

PRODUCT: StealthAUDIT

APPROACH #3

Logon Rights

DESCRIPTION

As a best practice, you should restrict highly privileged accounts from logging onto lower privilege systems. For example, domain administrators should not log onto workstations, because their password artifacts will be left in memory and can be vulnerable if that workstation is compromised. StealthAUDIT can help by reporting on the logon restrictions enforced through user rights assignments (e.g. Allow Log On Through Remote Desktop Services).
StealthAUDIT can also be used to review logon policies that can restrict local accounts such as the Administrator account from being used for network access which is a common approach for Pass the Hash.

PRODUCT: StealthAUDIT

APPROACH #4

LSA Protection

DESCRIPTION

StealthAUDIT can help ensure LSA Protection is enabled on all systems Windows 8.1 / Server 2012 R2 and higher. This makes it more difficult to extract credentials from LSASS.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x