Many Active Directory attacks begin with a stolen password. However, a Pass the Hash attack takes a different approach. In this example of credential theft, threat actors instead steal a user’s password hash. The attack is difficult to detect and can lead to privilege escalation and serious damage to your organization.
Related reading: Best Practices for Active Directory Security
What is a Pass the Hash attack?
The Pass the Hash attack is prominent within Windows environments. The attack exploits the authentication mechanism of the Windows operating system.
Windows, in its attempt to avoid storing plaintext passwords, maintains NTLM hashes of user passwords. During the authentication process, Windows compares these hashes rather than comparing plaintext passwords. The Pass the Hash attack leverages this mechanism.
Instead of stealing and using plaintext passwords, adversaries focus on obtaining and using the hashes to authenticate themselves on various network resources. The Pass the Hash attack is stealthy—and highly efficient.
What is a password hash?
A password hash is a one-way cryptographic process. This process runs a plaintext password through a mathematical function (i.e., a hash function) to create a fixed-size string of bytes, called a hash value (or simply hash). This hash is then compared to the stored hash of the user’s password. If the two match, authentication is granted. Obtaining the original password from a hash is infeasible, so this is a good way to store passwords in a database (such as the Active Directory database NTDS.DIT).
How does a Pass the Hash attack work?
In a Pass the Hash attack, an attacker begins by gaining access to a user’s hash, often by dumping the contents of the system’s SAM database or from memory, using tools like Mimikatz. The attacker can then reuse the hash to authenticate to other services or machines in the network, bypassing the need for a password.
Here’s a step-by-step breakdown of the Pass the Hash attack process:
- Initial compromise. An attacker gains initial access to a system within your network. Various methods can be used, including phishing, exploiting vulnerabilities, or even physical access.
- Hash extraction. Once the attacker has a foothold, they use a tool like Mimikatz, to extract hashes from the system. These hashes might reside in memory (RAM) or the Security Account Manager (SAM) database, depending on the user’s login status and the attacker’s access level.
- Passing the hash. With one or more hashes in possession, the attacker can now use a hash for authentication. The attacker uses a tool like PsExec (or even built-in Windows tools) to present the hash as proof of identity and to access remote systems. This is where the name Pass the Hash originates.
- Lateral movement. Using the obtained hash, the attacker attempts to move laterally within your network. The attacker uses the hash to access other systems in search of elevated privileges or valuable data. If users have excessive privileges or if the same credentials are used across multiple systems, lateral movement is much easier to achieve—and much more dangerous to your organization.
- Privilege escalation. Often, the attacker employs the Pass the Hash technique repeatedly. They hop from one machine to another until they locate an account with higher privileges, such as a domain administrator.
- Final objective. After achieving sufficient elevation of privilege and access, the attacker can act on their ultimate objective. Their target might be data theft, ransomware deployment, or maintaining a persistent presence for future exploitation.
The success of the Pass the Hash technique relies on several critical aspects:
- Windows’ inherent reliance on hash comparison for authentication
- Common misconfigurations
- Lax security practices, such as granting users local admin rights across multiple machines or reusing passwords across the enterprise.
What risks are associated with a Pass the Hash attack?
This type of attack can threaten your organization in several ways:
- Credential reuse: If an attacker compromises the hash of an account that account uses the same credentials across multiple services, the attacker can gain access to all those services.
- Lateral movement: Once inside your network, attackers can use Pass the Hash to move laterally across it, accessing different machines and escalating their privileges.
- Long-term access: With the hash, attackers can maintain persistent access to a compromised network, making detection and remediation challenging.
Windows-based networks are particularly vulnerable, especially networks that:
- Rely heavily on NTLM authentication
- Have flat networks without proper segmentation
- Lack strong password and security policies
- Do not regularly monitor or audit Active Directory
How can you detect a Pass the Hash attack?
Detecting a Pass the Hash attack involves identifying unusual behavior patterns or activities in the network. Monitor Active Directory for these types of activity:
- Anomalous login patterns. Look for abnormal login patterns such as logins at odd hours or from unusual locations. Also watch for rapid logins from one source to multiple systems.
- Unusual service creation. A Pass the Hash attack might involve creating services on remote systems using tools like PsExec. Therefore, tracking unexpected service creations can be a good indicator of this attack.
- Memory scraping. Tools like Mimikatz operate by scraping memory for hashes. Monitor for processes that read large sections of memory, especially from lsass.exe.
- Volume of authentication requests. A surge in authentication requests in a short span can indicate a Pass the Hash attempt, especially if many requests fail and then suddenly succeed.
Modern endpoint detection and response (EDR) solutions can also help to track behavioral patterns and flag suspicious activities often associated with Pass the Hash attack techniques.
How can you defend against a Pass the Hast attack?
Mitigating a Pass the Hash attack depends on limiting the attacker’s ability to obtain and use hashes. Here are six steps to take.
- Use administrative tiering. Administrators of highly privileged, Tier 0 accounts such as Active Directory should never log in to Tier 1 (servers and applications) or Tier 2 (end user workstations) resources. Preventing such behavior can lessen the risk of attackers harvesting admin credentials.
- Isolate systems. Ensure that critical systems are on isolated networks. An attacker with a hash from a less critical system shouldn’t be able to access a more critical one.
- Implement Microsoft Local Administrator Password Solution (LAPS). LAPS ensures unique passwords for local admin accounts across the enterprise.
- Apply the principle of least privilege. Grant users only the permissions that are necessary for them to perform their daily tasks. For example, avoid making every user a local admin on their machine.
- Install Credential Guard. On Windows 10 and Windows Server 2016 and later systems, use Credential Guard to protect against a Pass the Hash attack by isolating and hardening the credential storage process.
- Restrict the use of legacy protocols. Disable older authentication protocols, which might be more susceptible to a Pass the Hash attack. For example, transition from NTLM to Kerberos authentication.
Another vital defense tactic: Maintain a strong Active Directory security posture. Here are 10 steps specifically for Active Directory administrators.
- Audit Active Directory regularly. Monitor Active Directory for signs of unusual or unauthorized activity. Regularly audit Active Directory for stale or unused accounts and remove or disable them.
- Implement multifactor authentication (MFA). Especially for privileged accounts, MFA adds an extra layer of security. However, be sure you’re also monitoring for security indicators that might indicate MFA fatigue attacks.
- Monitor for group membership changes. Track changes to sensitive Active Directory groups, like Domain Admins. Unexpected changes should be a red flag. Automation of auditing and remediation can help you stay ahead of sophisticated and stealthy attacks.
- Apply security baselines. Implement Microsoft security baselines for Active Directory and Group Policy.
- Keep your systems up to date. Ensure timely patching of systems and software.
- Segregate admin tasks. Use separate accounts for different administrative tasks and prevent overlap. For instance, have different accounts for Domain Admin tasks, workstation admin tasks, and so on.
- Avoid using shared accounts. Shared accounts make it difficult to track actions back to an individual. Each admin should have an individual account.
- Limit admin logon. Associated with administrative tiering, restrict where and when administrative accounts can log on. For example, Domain Admin accounts should log on only to domain controllers.
- Take regular, AD-specific backups. Ensure regular backups of domain controllers and have a recovery plan in place. Separating Active Directory backups can help you avoid malware reintroduction.
- Educate and train staff and users. Continuously educate your IT team about the latest threats and how to recognize and respond to them. Educate users about the risks associated with attacks like Pass the Hash and your organization’s security policies and practices.
Defend against credential theft attacks
The Pass the Hash attack is a formidable challenge for many organizations. By exploiting the inherent ways that Windows handles authentication, attackers can bypass the need for plaintext passwords, gaining unauthorized access to multiple systems. By understanding the nuances of these attacks, security and IT professionals can fortify their defenses, making their networks more resilient in the face of evolving challenges.
Properly configured systems, user education, and vigilance in endpoint and Active Directory monitoring can help mitigate the risks associated with this attack. Begin by following best practices for Active Directory security.