How to detect and mitigate Pass the Hash
Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes of a user’s password – instead of the user’s plaintext password – to authenticate to a directory or resource.
Stealthbits’ products provide a multitude of ways to detect and mitigate the Pass the Hash attack.
Detection of pass the hash attacks is challenging. While the attacker is bypassing the password validation step of the authentication process by using stolen NTLM hashes, the actual network authentication that is performed is valid.
APPROACH #1
Honey Tokens
DESCRIPTION
Leverage Honey Tokens to inject fake credentials into LSASS memory on target machines and monitor for the usage of those credentials. If you see these credentials in use, it is conclusive that they were retrieved from memory on one of the honeypot machines and used for lateral movement.
PRODUCT: StealthDEFEND
APPROACH #2
Abnormal Behavior
DESCRIPTION
By baselining normal user behavior and looking for anomalous usage of accounts it is possible to detect pass-the-hash and other lateral movement attacks. Typical behavior to look for includes:
PRODUCT: StealthDEFEND
There are several things that can be done to mitigate against Pass-the-Hash. At a high level, you want to accomplish two things:
APPROACH #1
Reduce Administrator Rights
DESCRIPTION
One of the most impactful ways to reduce the risk of privileged access is to minimize the administrative rights on servers and desktops. Users should not log into their workstations with administrative rights.
PRODUCT: StealthAUDIT
APPROACH #2
PowerShell Monitoring
DESCRIPTION
PowerShell is a popular technique for performing credential extraction and pass-the-hash. Monitoring for suspicious PowerShell commands can detect pass-the-hash and the use of credential extraction tools such as Mimikatz.
PRODUCT: StealthAUDIT
APPROACH #3
Logon Rights
DESCRIPTION
As a best practice, you should restrict highly privileged accounts from logging onto lower privilege systems. For example, domain administrators should not log onto workstations, because their password artifacts will be left in memory and can be vulnerable if that workstation is compromised. StealthAUDIT can help by reporting on the logon restrictions enforced through user rights assignments (e.g. Allow Log On Through Remote Desktop Services).
StealthAUDIT can also be used to review logon policies that can restrict local accounts such as the Administrator account from being used for network access which is a common approach for Pass the Hash.
PRODUCT: StealthAUDIT
APPROACH #4
LSA Protection
DESCRIPTION
StealthAUDIT can help ensure LSA Protection is enabled on all systems Windows 8.1 / Server 2012 R2 and higher. This makes it more difficult to extract credentials from LSASS.
PRODUCT: StealthAUDIT
© 2022 Stealthbits Technologies, Inc.