Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.
When performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform Pass the Ticket attacks.
|M1026||Privileged Account Management||
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.
Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.
|M1052||User Account Control||
Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located
Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.
|M1018||User Account Management||
Do not allow a domain user to be in the local administrator group on multiple systems.
|ID||Data Source||Data Component||Detects|
|DS0026||Active Directory||Active Directory Credential Request||
Monitor requests of new ticket granting ticket or service tickets to a Domain Controller. Windows Security events such as 4768 (A Kerberos authentication ticket (TGT) was requested) and 4769 (A Kerberos service ticket was requested) combined with logon session creation information may be indicative of an overpass the hash attempt.
|DS0028||Logon Session||Logon Session Creation||
Monitor newly created logons and credentials used in events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
Note: Analytic Event ID is for Windows Security Log (Event ID 4624 - An account was successfully logged on). The successful use of Pass the Hash for lateral movement between workstations would trigger Event ID 4624, with an event level of Information, from the Windows Security log. This event would show an account logon with a LogonType of 3 using NTLM authentication, a logon that is not a domain logon, and the user account not being the ANONYMOUS LOGON account.
|DS0002||User Account||User Account Authentication||
Monitor for user authentication attempts. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. This technique does not touch Kerberos. Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From an Over-Pass-The-Hash perspective, an adversary wants to exchange the hash for a Kerberos authentication ticket (TGT). One way to do this is by creating a sacrificial logon session with dummy credentials (LogonType 9) and then inject the hash into that session which triggers the Kerberos authentication process.