Pass the hash is not a new attack but a really old lateral movement kind of attack that has been exploited by attackers during the last 15 years. However, still today is really effective in Windows networks.
The purpose of this post is to give you an overview of how this attack works and what are the main security controls that you could put in place to prevent or mitigate it.
The attack consist on getting the password hashes from a compromised system and reuse it to get access into other systems of the network. This attack is possible in Windows due to how the NTLM protocol works; attackers can use the hash of a password to authenticate to remote services without needing the plaintext password or without having to undertake dictionary or brute-force attacks on the hash itself.
It’s not possible to prevent completely attackers using this technique in our Windows infrastructure, but there are some mitigation controls that we can put in place. These are the security controls recommended by Microsoft for that purpose:
Restrict and protect high privileged domain accounts
Restrict and protect local accounts with administrative privileges
Restrict inbound traffic using host-based firewall
Let’s review each of them.
Mitigation 1: Restrict and protect high-privileged domain accounts
This mitigation reduces the risk of administrators inadvertently exposing privileged credentials to higher risk computers.
The idea is to restrict high-privileged accounts like domain and enterprise admin accounts from being used to authenticating to less trusted computers. So the admins should use less privileged admin accounts to perform their regular tasks instead of using high-privileged accounts. It’s important as well not schedule tasks or configure services with privileged accounts on lower trust computers.
The rationale behind this control is that an attacker cannot steal credentials for an account if the credentials are never used on the compromised computer.
This mitigation can only be technically enforced from Windows Server 2012 R2. Prior to this version, could only be enforced by policy or procedures.
Mitigacion 2: Restrict local accounts with administrative privileges
This mitigation restricts the ability of attackers to use local administrator accounts for lateral movement PtH attacks.
The idea is to enforce the restrictions available to prevent local accounts from being used for remote administration by explicitly deny network and Remote Desktop logon rights for all administrative local accounts.
On the other hand, as Windows is not using Salt for calculating the hashes or the passwords, local accounts with administrative privileges should have a unique password for each system.
With this control in place, an attacker who successfully obtains local account credential from a compromised computer will not be able to reuse those credentials in other computers on the organization’s network.
Mitigation 3: Restrict inbound traffic using a host Firewall
This mitigation restricts the ability of attackers to initiate lateral movement from a compromised workstation by blocking inbound connections.
The idea is to restrict all inbound connections to all workstation except for those with expected traffic originating from trusted sources. Using a ‘whitelisting’ approach in terms of sources and protocols will prevent an attacker who successfully obtains any type of account credentials to be able to connect to other workstations.
Other windows features that can help
Other windows features that could be useful to prevent an attacker from stealing or using stolen credentials are:
Enforce credential removal after logoff
Remove LAN Manager hashes from LSASS
Remove plaintext credentials from LSASS for domain accounts
It’s important to keep in mind that there is no silver bullet for the PtH attacks. Technology alone cannot solve that problem, so people and processes become critical elements in any corporate defense program. The proposed security controls must be enforced and integrated into a comprehensive security approach that should include security awareness, security monitoring and incident response readiness.