What The Hash?
One of the easiest ways for an attacker to wreak havoc within a network is by leveraging user credentials, which is why user passwords are so sought after. There are many ways for attackers to get their hands on user passwords, but getting cleartext credentials is not as easy as it once was. But hey, who needs cleartext creds anyway?
A password hash is an encrypted form of a user password. After gaining access to a host on your internal network, an attacker can extract hashes using tools like mimikatz or impacket’s secretsdump. These hashes can then be leveraged in a few ways, such as offline cracking or instead using it to authenticate. This is a form of attack called Pass the Hash (PtH). Passing the hash allows an attacker the ability to move laterally within a network, accessing different hosts, all under the guise of the user whose password hash they stole.
Identifying this sort of activity can be difficult as this sort of attack can mimic legitimate network activity; however, it is not impossible. When looking to identify pass the hash attempts here are some key Windows events to look for:
- Event ID 4624 Logon Type 3 (Looking for authentication using NTLM)
- Event 4672 (Special Privileges assigned to logon, admin login)
Also, be sure to look for any suspicious handles to LSASS and any user attempting to login to hosts they generally would not attempt to access. An example would be a normal domain user account attempting to authenticate against other workstations.
Finally, once detection rules are in place, many teams look for ways to validate that those detections and prevention measures perform as expected under realistic attack conditions. One consideration is whether internal or third-party penetration testing includes advanced techniques like these, as many standard tests don’t always exercise them.
For teams interested in exploring this further, Neovera offers flexible testing engagements to help validate these and other controls.
——————————————————————
Missed our recent webinar with About Fraud?
Many organizations are recognizing that technical attack techniques like Pass-the-Hash highlight a broader challenge and traditional detection alone isn’t enough without continuous validation against real-world attack scenarios.
If you’re interested in how financial institutions are applying proactive testing approaches beyond traditional monitoring, you may find our recent webinar with About Fraud valuable.