Pass the Hash
Pass the Hash [T1550.002]
Information
Name: Pass the Hash
ID: T1550.002
Technique: T1550
Introduction
Pass the Hash (PtH), identified as sub-technique T1550.002 within the MITRE ATT&CK framework, is a credential access technique where adversaries leverage hashed credentials to authenticate themselves to remote systems without needing plaintext passwords. By exploiting authentication protocols and mechanisms, attackers utilize valid credential hashes captured from compromised systems to move laterally and escalate privileges across a network. This technique bypasses traditional password authentication, making it particularly difficult to detect and mitigate, thus becoming a common method for persistence and lateral movement in targeted attacks.
Deep Dive Into Technique
Pass the Hash specifically exploits Windows authentication mechanisms, notably the NT LAN Manager (NTLM) protocol. NTLM hashes, stored in the Security Account Manager (SAM) database or memory, can be extracted from compromised hosts and subsequently reused for authentication without cracking the original plaintext password.
Technical execution typically involves the following steps:
Credential Extraction:
Attackers obtain NTLM hashes by dumping memory processes (e.g., LSASS) using tools such as Mimikatz, ProcDump, or through volume shadow copy extraction.
Alternatively, hashes can be obtained by accessing the SAM database directly, especially on compromised systems running with administrative privileges.
Hash Reuse (Authentication):
Attackers utilize tools such as Mimikatz, Impacket, Metasploit, CrackMapExec, or custom scripts to reuse captured NTLM hashes for authentication.
Authentication occurs by directly injecting captured hashes into authentication requests, bypassing the need for plaintext passwords.
Lateral Movement and Privilege Escalation:
After successful authentication, attackers spread laterally across the network, accessing additional systems, escalating privileges, and maintaining persistent access.
Attackers leverage legitimate Windows administrative tools such as PsExec, PowerShell remoting, SMB connections, WMI, or Remote Desktop Protocol (RDP) sessions, authenticating solely with captured hashes.
Real-world procedures frequently involve leveraging vulnerabilities or misconfigurations, such as weak security policies, lack of credential protection (Credential Guard, LSA protection), and absence of network segmentation.
When this Technique is Usually Used
Pass the Hash is typically utilized during multiple stages of an attack lifecycle, including:
Initial Access and Privilege Escalation:
Attackers initially compromise a host and extract hashes to escalate privileges locally or gain administrative credentials.
Lateral Movement:
Attackers employ captured hashes to authenticate to other systems within the network, expanding their foothold.
Persistence and Credential Access:
Attackers continuously harvest hashes from additional systems to ensure persistent access and maintain lateral movement capabilities.
Attack scenarios where Pass the Hash commonly appears include:
Targeted cyber espionage campaigns.
Advanced Persistent Threat (APT) intrusions.
Ransomware attacks involving lateral movement to infect multiple hosts.
Internal penetration testing engagements to demonstrate credential theft risks.
How this Technique is Usually Detected
Detection of Pass the Hash involves monitoring and analyzing authentication activities, process execution, and system logs. Common detection methods and indicators of compromise (IoCs) include:
Event Log Analysis:
Monitor Windows Security Event Logs for anomalous logon events (Event IDs 4624, 4625), especially logons using NTLM authentication from unusual sources or at unusual times.
Identify logon events without corresponding explicit logoff events or unusual credential usage patterns.
Process and Memory Monitoring:
Detect suspicious process executions such as LSASS memory dumps or unexpected tools usage (e.g., Mimikatz, ProcDump).
Employ endpoint detection and response (EDR) tools that detect memory injection or suspicious API calls associated with credential theft.
Network Traffic Analysis:
Monitor SMB traffic for unusual authentication attempts, especially NTLM authentication requests originating from abnormal hosts.
Identify anomalous lateral movement patterns, including SMB connections to multiple hosts from a single compromised system.
Behavioral Analysis and Threat Hunting:
Use threat hunting techniques to proactively search for signs of credential theft and lateral movement, such as abnormal administrative tool usage (PsExec, WMI, PowerShell Remoting).
Implement machine learning and behavioral analytics tools to detect deviations from normal user or system behavior.
Specific tools and solutions commonly employed for detection include:
Endpoint Detection and Response (EDR) platforms (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne).
Security Information and Event Management (SIEM) systems (Splunk, IBM QRadar, Elastic Security).
Network Intrusion Detection Systems (IDS) and Network Traffic Analysis (NTA) tools (Zeek, Cisco Secure Network Analytics, ExtraHop Reveal(x)).
Why it is Important to Detect This Technique
Early detection of Pass the Hash is critical due to its significant impact on network and system security. Potential consequences of failing to detect this technique include:
Rapid Lateral Movement:
Attackers can quickly propagate across multiple systems, significantly expanding the scope of compromise.
Privilege Escalation:
Attackers can escalate privileges by leveraging administrative hashes, gaining complete control over critical systems and infrastructure.
Persistent Access:
Attackers maintain persistent access to networks, complicating remediation efforts and increasing the likelihood of long-term compromise.
Data Exfiltration and Breaches:
Successful lateral movement enables attackers to access sensitive information, intellectual property, trade secrets, and personally identifiable information (PII), leading to severe data breaches and regulatory compliance issues.
Operational Disruption:
Attackers leveraging Pass the Hash may disrupt critical business operations, causing financial losses, reputational damage, and operational downtime.
Given these severe impacts, organizations must prioritize detecting and mitigating Pass the Hash attacks through proactive monitoring, robust security controls, and continuous threat hunting.
Examples
Real-world examples demonstrating Pass the Hash include:
NotPetya Ransomware Attack (2017):
Attackers leveraged Pass the Hash to propagate ransomware across compromised networks at high speed.
Tools used: Mimikatz, EternalBlue exploit, PsExec.
Impact: Massive global disruption, billions of dollars in financial losses, operational downtime, and data destruction.
APT29 (Cozy Bear) Intrusions:
Russian threat actor group APT29 used Pass the Hash extensively for lateral movement and persistence in targeted cyber espionage campaigns.
Tools used: Custom malware, Mimikatz, PowerShell scripts.
Impact: Compromise of sensitive governmental and political organizations, long-term espionage operations.
APT3 (Gothic Panda) Campaigns:
Chinese cyber espionage group APT3 employed Pass the Hash techniques to move laterally within compromised networks, gaining access to intellectual property.
Tools used: Mimikatz, Metasploit, Impacket.
Impact: Theft of sensitive intellectual property and trade secrets from technology, aerospace, and defense companies.
Penetration Testing Engagements:
Security assessments frequently demonstrate Pass the Hash techniques to highlight credential security weaknesses.
Tools used: CrackMapExec, Impacket suite, Metasploit Framework.
Impact: Demonstrated vulnerabilities leading to enhanced security controls and improved credential hygiene practices.
These examples illustrate the widespread use of Pass the Hash across diverse threat actors and attack scenarios, emphasizing the importance of robust detection and mitigation strategies.
Last updated
Was this helpful?