Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE

Pass the Hash

How to detect and mitigate Pass the Hash

Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.

    Request A Free Trial


    Stealthbits’ Pass the Hash Solution

    Stealthbits’ products provide a multitude of ways to detect and mitigate the Pass the Hash attack.

    Detect Pass the Hash Attack

    Detection of pass the hash attacks is challenging. While the attacker is bypassing the password validation step of the authentication process by using stolen NTLM hashes, the actual network authentication that is performed is valid.

    APPROACH #1

    Honey Tokens

    DESCRIPTION

    Leverage Honey Tokens to inject fake credentials into LSASS memory on target machines and monitor for the usage of those credentials. If you see these credentials in use, it is conclusive that they were retrieved from memory on one of the honeypot machines and used for lateral movement.

    PRODUCT: StealthDEFEND

    APPROACH #2

    Abnormal Behavior

    DESCRIPTION

    By baselining normal user behavior and looking for anomalous usage of accounts it is possible to detect pass-the-hash and other lateral movement attacks. Typical behavior to look for includes:

    • Account being used from host(s) it has never authenticated from before
    • Account being used to access host(s) it has never before accessed
    • Accessing a large number of hosts across the network that contradicts normal access patterns

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Mitigate Pass the Hash Attack

    There are several things that can be done to mitigate against Pass-the-Hash. At a high level, you want to accomplish two things:

    1. Prevent the password artifacts (E.g. NTLM hashes) of privileged accounts from being stored on unprivileged systems (e.g. Domain Admin shouldn’t log onto a workstation)
    2. Restrict users from obtaining administrative privileges on their workstations where, if compromised, their accounts can be used to retrieve password artifacts from disk/memory

    APPROACH #1

    Reduce Administrator Rights

    DESCRIPTION

    One of the most impactful ways to reduce the risk of privileged access is to minimize the administrative rights on servers and desktops. Users should not log into their workstations with administrative rights.

    • Report on what users have administrative rights on workstations through direct and nested membership in the Administrators group
    • Perform regular reviews of Administrator group membership within the Access Information Center and remove unnecessary members
    • Report on Administrative equivalent rights on desktops and workstations through user rights such as Act as Part of the Operating System (SeTcbPrivilege)

    PRODUCT: StealthAUDIT

    APPROACH #2

    PowerShell Monitoring

    DESCRIPTION

    PowerShell is a popular technique for performing credential extraction and pass-the-hash. Monitoring for suspicious PowerShell commands can detect pass-the-hash and the use of credential extraction tools such as Mimikatz.

    PRODUCT: StealthAUDIT

    APPROACH #3

    Logon Rights

    DESCRIPTION

    As a best practice, you should restrict highly privileged accounts from logging onto lower privilege systems. For example, domain administrators should not log onto workstations, because their password artifacts will be left in memory and can be vulnerable if that workstation is compromised. StealthAUDIT can help by reporting on the logon restrictions enforced through user rights assignments (e.g. Allow Log On Through Remote Desktop Services).
    StealthAUDIT can also be used to review logon policies that can restrict local accounts such as the Administrator account from being used for network access which is a common approach for Pass the Hash.

    PRODUCT: StealthAUDIT

    APPROACH #4

    LSA Protection

    DESCRIPTION

    StealthAUDIT can help ensure LSA Protection is enabled on all systems Windows 8.1 / Server 2012 R2 and higher. This makes it more difficult to extract credentials from LSASS.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    RESOURCES

    © 2021 Stealthbits Technologies, Inc.