This is the latest in a series of posts we are calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving the malicious campaigns that QOMPLX front line staff encounters in our work with customers.
Recently we described Kerberos Golden Ticket and Silver Ticket attacks: dangerous Kerberos ticket forgery attacks in which an adversary gains control over a local- or domain administrator account in an Active Directory environment and abuses that access to forge a Kerberos Ticket Granting Service (TGS) ticket (aka “service ticket”) or (with Golden Ticket attacks) a Kerberos Ticket Granting Tickets (TGTs), which gives the attacker access to any resource on an Active Directory Domain.
One question that we often get asked in discussion of these attacks is about how attackers are able to obtain the administrative access (local or domain administrator) needed to generate a Silver or Golden Ticket forgery. The answer, often, is via a common method known as a “Pass the Hash” attack: a credential theft- and re-use attack that is one of the most common methods of lateral movement within compromised IT environments. Simply put: Pass the Hash attacks take advantage of a fundamental limitation in the NTLM protocol that enables attackers to capture password hashes stored in memory and re-use them to access other network resources. In essence: attackers use stored hashes in lieu of the alphanumeric password the hash was generated from.
NTLM has been a known security risk for decades - protocols like Kerberos were even created to provide more secure alternatives. In recent years, growing awareness of weaknesses in NTLM and evolving tooling have made it simple for even inexperienced attackers to carry out Pass the Hash attacks: expanding their access in a compromised environment from a local user account to local administrator on the compromised system, and then moving laterally to gain domain- and even super administrator access. In that way, Pass the Hash attacks facilitate more serious attacks such as Golden and Silver Ticket forgeries.
In this QOMPLX Knowledge post we’re going to dig deep on Pass The Hash (PtH) attacks and explain how they work, the conditions necessary for an attacker to use one to move within your environment and - importantly - how to respond to them when attempts occur.
Basic security hygiene is critical in preventing attackers from gaining a network foothold and initiating a Pass the Hash attack that facilitates privilege escalation and lateral movement. That means: keeping Windows clients and servers up-to-date with the latest operating systems and patched; most initial incursions exploit weaknesses for which there are already patches available. Some other points to consider:
- Implementing user “least privilege” policies that restrict the use of “super admin” accounts, restrict local administrator accounts and deny ordinary users access to the local administrators group on their machine are proven to reduce the risk of PtH attacks, as attackers must first obtain local administrator access to harvest password hashes from a compromised system.
- While deprecating NTLM within legacy IT environments is difficult, organizations should familiarize themselves with Microsoft’s recommendations for restricting NTLM use. They should also be taking proactive steps to gradually retire NTLM - since it is fundamentally flawed. Security teams should be proactively working with their IT counterparts on this modernization effort.
- Restrict the use of remote management tools and protocols (like remote desktop protocol - RDP) that leave administrative credentials in the remote computer’s memory.
- In the event of a pass the hash attack, parse and analyze combinations of Windows Event Logs, EDR logs, Kerberos logs and Active Directory information to understand which network resources a threat actor may have accessed, what credentials may have been compromised and what data may have been taken. Technology such as QOMPLX’s allows organizations to ingest, parse and analyze this data at scale.
Step 1: Prevention
Pass the Hash (PtH) attacks are post-exploitation attacks. A threat actor must already have compromised a target system in an environment before they can commence a PtH attack. That initial system compromise will likely follow a well established pattern, for example: a phishing email campaign, exploitation of a vulnerable public-facing IT asset, or a malware infection impacting one or more network endpoints.
While attempts at preventing exploitation of its network in the first place are laudable, they are also doomed to failure. You need to have a plan to detect post-exploitation activity when it inevitably occurs. To make it as difficult as possible start with the basics, including promoting and enforcing basic security hygiene as a front-line defense. That includes:
- Identifying critical IT assets, data and accounts within your environment and applying extra protection and monitoring to those accounts and assets.
- Providing rigid security awareness training that teaches employees safe internet habits, including how to spot phishing attacks, where to report them, the business consequences of clicking on random links in email, social media, messaging applications, the risks of removable media, and more.
- Enforcing the principle of least privilege for user accounts. Organizations should strictly limit the number of admin accounts and remove all regular users from local admin groups. Beyond that, policy should dictate that user and local accounts have access only to those resources required to carry out their job functions. That same principle should also apply to applications, limiting their access to resources as well.
- Prioritizing vulnerability and configuration management, and patch high-risk systems. Eliminating exploitable security holes is the best way to reduce the number of potential exposures that can be leveraged by an external threat actor or malicious insider.
- Updating systems using unsupported or older operating systems and using endpoint protection software to limit infection and other malicious activity on local systems. In particular, organizations using the Windows operating system should apply patch KB2871997 to Windows 7 and higher systems, which limits the default access of accounts in the local administrator group.
- Enforcing strong password and authentication policies including the use of multi-factor authentication
- Avoiding use of remote management tools and protocols (like remote desktop protocol - RDP) that leave administrative credentials in the remote computer’s memory
Step 2: Detection
Pass the Hash (PtH) attacks can take place on local systems or in transit via man in the middle attacks. That means they can be difficult to detect. Since NTLM fails to preserve entropy, it also means detections will be noisier for PtH than for some other detections.
Still, there are ways to improve monitoring for credential theft as a part of the broader strategy. First: deploying effective endpoint detection and response (EDR) software can help spot some local attacks at an early stage, though numerous tools and techniques make it possible for a skilled adversary to bypass even leading EDR solutions.
Traditional security technologies such as access logs for firewalls and VPNs should also be monitored for suspicious activity and to spot man in the middle attacks aimed at stealing credentials in-transit. Beyond that, there are some tell-tale signs that can allow your organization to spot PtH attacks or lateral movement enabled by PtH.
Pass the Hash 'Tells'
Pass the Hash detection need not be complicated. For example, User and Entity Behavior Analytics (UEBA) tools running on networked endpoints can spot suspicious or malicious activity, such as the installation or use of software like Mimikatz, Empire, Night Dragon and other toolkits that facilitate PtH attacks as well as suspicious processes touching LSASS. Note that most EDR solutions will struggle if even modest changes are made to stock tooling before it is used.
Broadly, organizations concerned about PtH should be on the lookout for unauthorized access or unusual remote logins that correlate with suspicious or malicious network activity like the execution of suspicious, malicious or unknown binaries. MITRE notes that NTLM LogonType 3 authentications that are not anonymous or associated with a domain login are often indicative of credential theft.
In its guidance on Mitigating Pass the Hash attacks, Microsoft notes that detection is “most efficient when performed on well-structured networks in which high-value account usage is clearly defined.” With user and administrator roles and behavior patterns that are well understood and tightly prescribed, identifying activities that are outside the previously observed behavior or approved use is easier. Spotting anomalous activity then provides the basis for detection.
Among the suspicious Indicators Microsoft itself identifies are:
- Unusual patterns around the source or destination of user access
- Unusual timing of user access given a user’s historic behavior or present situation
- Unusual or unexpected account creation including domain accounts created outside of the normal provisioning workflow or user accounts created on a server
- Unusual patterns of activity performed with the account
- Detection of known and unknown malicious executables associated with the account
- Activity from multiple, unrelated high-value accounts (domain admin, service account, etc.) emanating from the same host
- Detection of multiple accounts from different owners authenticating from the same computer in the same session
- Detection of unexplained modifications to sensitive objects like the Domain Administrators user group
Strict monitoring of user and administrative accounts is key to spotting Pass the Hash attacks. Organizations concerned about spotting such attacks should invest in tools, like QOMPLX’s, that can correlate login and credential-use events in order to identify these discrepancies and focus internal analysts and investigators most effectively.
In addition to monitoring user activity, organizations should monitor network and host events for indications of possible PtH attacks. There are number of events that correlate with Pass the Hash attacks. Microsoft has documented these in their document Mitigating Pass the Hash Attacks and Other Credential Theft V2 (PDF), which serves as a good reference for event monitoring for Pass the Hash attacks.
Step 3: Response
Recent incidents have shown how compromises of Active Directory often precede devastating hacks, including deployment of ransomware and wholesale theft of data and intellectual property. That’s why, if detected or even suspected, a Pass the Hash (PtH) attack should trigger an immediate response from your security operations center (SOC), computer incident response team (CIRT), or third-party service provider.
As part of their response to Pass the Hash credential reuse attacks, organizations will want to answer some form of the following questions:
- How did the attackers initially access the network?
- What accounts were compromised by the attackers?
- Which IT assets have attackers accessed and/or compromised?
- What information have the attackers accessed and exfiltrated?
Regardless of the extent of the incident, organizations that have suffered a Pass the Hash attack will need to review their security protection and detection tools and capabilities to determine how the successful attack was carried out. It may be necessary to update your security protections and detection capabilities to address areas of exposure.
Step 4: React vs. Watch and Learn
Once a Pass the Hash attack has been detected and the basic dimensions of the compromise are understood, organizations face a choice: shut down affected account(s) and take compromised assets offline to stop the attack, or hold back and observe the attackers at work.
Resources, visibility may limit choices
In QOMPLX’s experience, most compromised organizations choose the former; they shut down affected accounts, reset passwords, re-image systems, change remote access systems, and implement additional controls in the hopes of shutting down all avenues to future threat actors. A rebuild may be an organization’s best option given available resources and visibility into such network activity. While understandable, this response eliminates the possibility of analyzing the attack and determining its full extent: what was accessed, and possibly who was behind the attack.
In our experience, attackers who execute a Pass the Hash attack rarely have just one credential at their disposal. More likely: they have acquired an entire keychain of stolen credentials comprising many accounts. Additionally, they will deploy back doors and other malicious software to give themselves persistent access to a compromised environment. That is why observing attackers even after you have detected them can allow your organization to more thoroughly respond to the attack at a time of your choosing.
If you choose to monitor attacker behavior in your environment, focus on following the chain of access events to its source. Identifying the host or hosts from which credentials were harvested will give you access to “ground zero” of the compromise. Tools like command line auditing can then be used to see what actions attackers performed on those hosts and what data and credentials they may have gained access to.
You also want to follow the chain of compromises forward to see what other network assets the compromised credentials have been used to gain access to and whether attackers have been successful at elevating privileges and gaining access to- and control over domain controllers. Among other things, conduct a thorough audit of your network to identify any resources accessed with the compromised credentials (e.g. network shares). You will need to address these during the recovery phase.
Obviously, the compromise of the domain controller will require a more comprehensive re-build of your environment than will the compromise of one or more lower level accounts which can be reset. Review our post on Golden Ticket Attacks for details on rebuilding following a domain controller compromise. You may wish to employ a professional services or incident response team to manage a large scale breach.
Step 5: Recover Accounts
Once your organization has a fuller understanding of the incident, it is well positioned to recover from it. This could include disabling all but a few of the lowest-privileged accounts, blocking external IP addresses associated with the attacks and, implementing redirects for suspicious traffic to honeypots.
By monitoring the few remaining active accounts, investigators can understand secondary attack paths used by the threat actors and whether they have dropped a backdoor into an organization that could be used indefinitely.
Recovering from Pass the Hash attacks is straightforward, assuming that is all you need to recover from.
The goal of recovery is, obviously, to regain control of the compromised account. Administrators should set compromised passwords to expire at the next logon, forcing account owners to reset them. Administrators should make sure to change passwords for Active Directory Domain Services (ADDS).
In the event that a Pass the Hash attack was secondary to a compromise of a network asset like an employee laptop, you likely want to reset the computer account credentials in addition to the user credentials.
For any shared resources accessed using the compromised credentials, terminate the logon session that granted access to the malicious user, if that session is still running.
Alternatively, you can remove compromised accounts from your Active Directory environment by disabling the account and removing it from both the Active Directory Domain Services and any local or network security groups.