Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from admin memory parsing is much faster than old dictionary and brute force style attacks of yester-year using tools such as ”Cain and Abel.” This blog introduces the Windows Security Account Manager (SAM) file, hashes for credentials, how PtH is easily performed using a tool called Mimikatz, and how to detect such attacks within alerts.
Windows “hash” (fixed-size mathematically generated value) values for passwords for users on a computer are stored in the Windows SAM file located at %SystemRoot%/system32/config/SAM and mounted via HKLM/SAM:
SAM file as seen in Windows 10 in the System32 config directory
If a computer is compromised by a remote actor or malicious insider they can easily view, copy, and/or exfiltrate the SAM file from a computer to then leverage in compromising credentials. Using old-school methods, one can copy the SAM file from the local system and exfiltrate it to an attacker computer for brute force password attacks against the file. This is not as easy as you think, since it is already in use and therefore not allowed by Windows. However, a trivial batch (.bat) file run as admin easily creates a copy on the local C drive:
reg SAVE HKLM\SAM C:\SAM
reg SAVE HKLM\SYSTEM C:\SYSTEM
Once obtained, the SAM file can then be leveraged for password cracking. In a reverse direction an actor may also just upload a tool like Mimikatz to a remote compromised endpoint to then run it on the computer to then compromise credentials, which is far more efficient than using PtH tactics.
The SAM file contains data as shown below, when viewed in Notepad on Windows:
SAM file snippet viewed in Notepad
Windows XP and older operating systems store passwords in the SAM file. To keep passwords secure they are ‘hashed’ using one of two formats: LAN Manager (LM) Hash or NT LAN Manager (NTLM). LM hashes are the older, easily cracked version of security, which should not be used today. LM hashes can be cracked in seconds using off-the-shelf hacking tools. When viewing hashes in a SAM file, if you see two different hash values present you know you can ‘pwn’ (own) the credentials because it must contain both LM and NTML hashes!
NTLM hashes are more robust, but produce a cryptographic value that is predictable. In other words, if you generate the hash value for “admin123” or “sunset” you get a known value that can then be used in a dictionary style attack against unknown hashes.
No matter what type of hash you use, if admin exists on an endpoint and it’s compromised and Mimikatz is used, complete pwn’ge is in your immediate future. It’s trivial to run the tool to quickly dump all passwords on a local system as shown below:
Mimikatz dumping passwords to “Passwords.txt”
Examples of passwords dumped by Mimikatz including user kdunham and a NAS device
Once the user is compromised, whatever privileges they have across the network can then be used to log into different computers with different users and hashes. This enables an actor to quickly traverse a network laterally and/or elevate to Domain Admin in many cases. It can also enable an actor to have access to special file stores, such as the network area storage device used for backups as seen in the example above.
Mature pen testers and threat agents often automate the use of Mimikatz with a script, such as a PowerShell script. This enables them to perform several tasks quickly that are always required - such as disabling AV and running the desired command for Mimikatz to steal credentials. Some tools, such as PowerShell Empire, contain a module such as “pth” to also automate such tasks. Even Microsoft has a PowerShell script for downloading from Github and executing Mimikatz, available at https://gallery.technet.microsoft.com/scriptcenter/Invoke-Mimikatz-and-will-d6c40fac.
Mimikatz is one of the most popular but certainly not the only tool for stealing credentials. Related tools of concern include but are not limited to MetaSploit, SMBShell, fgdump, gsecdump, PWDumpX, creddump, and WCE.
Lateral movement of PtH attempts can be seen between workstations:
ID 4624 is for a successful user account login, which can be seen in the Windows event security log. Other codes, like 4740 for lockout, may help reveal a picture of attempted hacking of an account. Combining at least the three PtH components of ID 4624, 3, and NTLM into event correlation enables an analyst to quickly identify PtH attacks. In the real world of reaching through SIEM/SOC data an analyst may be viewing a triggered syslog alert such as:
alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; pcre: "/ 4624: | 4625: /"; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| ",$WINDOWS_DOMAINS; meta_nocase; program: Security|Security-Auditing; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002017; reference: url,http://en.wikipedia.org/wiki/Pass_the_hash; sid: 5002017; rev:2;)
Reading through the rule above notice the use of “!” where something like “ANONYMOUS LOGON” is NOT part of the rule. This matches the ruleset described above and is relatively fast to triage by a junior analyst as PtH.
Understanding PtH is important in 2018 because it is a very common method popularized by tools such as Mimikatz. It’s common and relatively easy to spot in terms of low hanging fruit on alerts, monitoring and response. There is a much more complicated architecture behind the scenes of any well defended network related to how identity and access management (IAM) is performed in addition to more advanced PtH detection and counter-tactics.
While this article does not focus upon preventative controls to reduce credential theft risk a few must be noted out of good conscience in addition to additional references below:
For more information on PtH read the SANS paper at https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283.
Extensive mitigation advice from MS against PtH at https://cloudblogs.microsoft.com/microsoftsecure/2012/12/11/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash/ and http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating%20Pass-the-Hash%20(PtH)%20Attacks%20and%20Other%20Credential%20Theft%20Techniques_English.pdf.
Binary Defense dives into how to detect PtH at https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through….
A Blackhat talk on why you need to detect more than PtH, because this is a complex subject, available at https://www.blackhat.com/docs/us-14/materials/us-14-Hathaway-Why-You-Need-To-Detect-More-Than-PtH-WP.pdf.
A more technical video on how authentication takes place related to PtH: https://www.youtube.com/watch?v=cBXdoIuLzmA.
September 08, 2016
At a recent conference for IT leaders, I addressed the theme of, “How much cyber security is enough?” We all probably have had to answer the broad....
Let us know what you need, and we will have an Optiv professional contact you shortly.