To look back one year in the life of technology is a long time, so 16 years could be considered almost an eternity. At that point in history, many were testing the latest build of Windows Memphis Beta, later to become Windows 98. At the same time, Pass the Hash (PtH) was becoming a way to target credentials and intellectual property. Many people have discussed PtH in blog posts, mitigation documents, and webinars, so does it deserve another blog post? Considering that CrowdStrike still encounters enterprises that have had their intellectual property stolen using this technique, and even more that are vulnerable to this attack, we believe the answer to that question is a resounding YES.
However, the content of our blog posts and webinars must provide something more valuable than what has been published before. So what is our goal in this process? To provide CrowdStrike’s holistic approach to mitigating PtH. We want to add to the collective knowledge of the security community and help you raise the cost to the adversary. We want to help protect against a key weakness we see in most networks. You’ll also discover that your company may already have all the tools necessary to implement this strategy successfully. That’s right: no magic bullet to buy, no expensive piece of software, but rather a carefully laid out control plan for protecting your most privileged credentials.
In our experience, there are many people who don’t understand what PtH is, nor how it affects them. So let’s start with a quick high-level summary of this technique. A PtH attack is the theft of a stored password hash value that can be used to authenticate against another system. This process doesn’t require an attacker to crack a user’s password, but merely capture the stored hash value for reuse. We’re not going to delve deep into the technical details of PtH, but the most important thing to understand is that the attacker must have administrator-level privileges on the device where he wants to steal credentials from disk or memory. Once an attacker has this level of access, he can quickly move through an environment gathering cached credentials on computer assets. In many cases, a single workstation is the entry point for a targeted attacker. From this one computer, the PtH technique can be used to capture Domain Admin credentials. This sometimes occurs within a day. At that point, your most sensitive data can be collected and exfiltrated.
The removal of local administrator rights from workstations is key to protecting credentials. Although that option is one of the most effective tools in protecting a network, it’s not always practical to remove everyone’s local administrative rights. It’s also important to realize that at some point a critical cached credential will be located in an area where an attacker will find it. That starts us down our known issues list for PtH mitigation:
- Some users will have administrator-level permissions on workstations
- Some users will administer the domain, member servers, and workstations
- Critical credentials will be cached on some computers
- Targeted attackers will harvest a critical cached credential at some point
- Excessive increases in complicated IT procedures will reduce productivity
We now have a list of issues that must be considered with the solution. When you’re implementing this process, make sure to note your own list of items that must be met.
First and most important is the disabling of the Local Administrator account. Many times these accounts are renamed, but it’s important that this account is disabled. An attacker can use this account to wreak havoc on your network, and the account isn’t needed. Most IT departments claim that the account is needed as a backup to get into a computer. One thing most people fail to understand is that when you boot into “Safe Mode” in Windows, the Local Administrator account is enabled. So set the password to something that the IT department can use in an emergency, but DISABLE the account on ALL machines. This is the first step to protecting your network from credential theft and PtH. It is easily accomplished using Group Policy settings.
Now that we’ve reduced the attack surface to something more manageable, the next step is to establish proper logging and alerting. Although not directly designed to mitigate PtH, it’s an important feature of the holistic approach to protecting the environment. The most critical aspect of this step is centralizing your Active Directory logs. There are many ways to accomplish this step. You need a centralized logging system of some kind. Many organizations will already have a centralized logging system. However, if you don’t, two options to consider are Splunk and Kiwi Syslog. The important point is having enough storage to keep logs for an extended period of time (a minimum of 90 days), and also being able to alert on certain types of events. Next is adding the ability to forward events into your centralized system. Some ways to achieve this are to use the Splunk Universal Forwarder or to install an agent like Snare Event Log Agent for Windows to forward events to syslog implementations.
With these two items in place, you’ve created a solid foundation on which to build the rest of the PtH mitigation plan. Join us for our webinar on September 24 as we show you the Group Policy Objects to control the privileged accounts, an alerting system to detect possible critical credential theft, integration of two-factor authentication (without deploying two-factor software to endpoints), and the ability for privileged users to control their own cached credentials across the enterprise. We’ll also answer questions during the presentation. After the webinar, we’ll publish a follow up to this blog with additional details.
Learn More: LIVE CrowdCast
Join us for a live CrowdCast on 9/24 as we dive deeper into preventing lateral movement by mitigitating Pass the Hash.
Mitigating Pass the Hash
Tuesday, September 24th | 2pm ET/11am PT