Pass-the-Hash Attack

May 18, 2022

What is a pass-the-hash attack?

Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session.

What is a password hash?

A password hash is a one-way mathematical function that turns a user’s password into a string of text that cannot be reversed or decoded to reveal the actual password. Put simply, the passwords aren’t stored as text or characters, but nondescript hash symbols.

Why are pass the hash attacks a growing concern?

As more and more organizations leverage single sign-on (SSO) technology to enable a remote workforce and reduce friction within the user experience, attackers have come to recognize the inherent vulnerability of stored passwords and user credentials.

Identity-based attacks, such as pass the hash attacks, where adversaries pose as legitimate users are particularly difficult to detect because most traditional cybersecurity solutions cannot differentiate between a real user and an attacker masquerading as one.

Protecting against pass the hash attacks is critical because this technique often serves as a gateway to other, more serious security issues, such as data breaches, identity theft, and malware or ransomware attacks.

2022 CrowdStrike Global Threat Report

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

How does a pass the hash attack work?

In a pass the hash attack, the attacker typically gains access to the network through a social engineering technique such as phishing, which is when a cybercriminal preys on another person’s emotions, such as fear, empathy or greed, to convince them to share personal information or to download a malicious file.

Once the attacker gains access to the user’s account, they use various tools and techniques that scrape the active memory to derive data that will lead them to the hashes.

Armed with one or more valid password hashes, the attacker gains full system access, enabling lateral movement across the network. As the attacker impersonates the user from one application to the next, they often engage in hash harvesting — accumulating additional hashes throughout the system which can be used to access more areas of the network, add account privileges, target a privileged account, and set up backdoors and other gateways to enable future access.

Who is vulnerable to pass the hash attacks?

Windows server clients, and organizations that use Windows New Technology LAN Manager (NTLM), in particular, are among the most vulnerable to pass the hash attacks.

NTLM is a suite of Microsoft security protocols that authenticate users’ identity and protect the integrity and confidentiality of their activity. Essentially, NTLM is an SSO tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password, a process known as NTLM authentication.

NTLM was subject to several known security vulnerabilities related to password hashing and salting. In NTLM, passwords stored on the server and domain controller are not “salted” — meaning that a random string of characters is not added to the hashed password to further protect it from cracking techniques. This means that adversaries who possess a password hash do not need the underlying password to authenticate a session.

NTLM’s cryptography also fails to take advantage of new advances in algorithms and encryption that significantly enhance security capabilities.

While NTLM was replaced as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains by Kerberos, it is still maintained in all Windows systems for compatibility purposes between older clients and servers. For example, computers still running Windows 95, Windows 98 or Windows NT 4.0 will use the NTLM protocol for network authentication with a Windows 2000 domain. Meanwhile, computers running Windows 2000 will use NTLM when authenticating servers with Windows NT 4.0 or earlier, as well as when accessing resources in Windows 2000 or earlier domains. NTLM is also used to authenticate local logons with non-domain controllers.

Spotlight on a Recent Pass-the-Hash Attack

In April 2022, a ransomware-as-a-service (RaaS) platform called Hive leveraged a pass-the-hash technique to advance a coordinated attack that targeted a large number of Microsoft’s Exchange Server customers, including those in the energy, financial services, nonprofit and healthcare sectors.

The attack took advantage of a particular Microsoft Exchange Server vulnerability known as ProxyShell. Though this vulnerability was quickly patched by Microsoft, many businesses had not updated their software and were left exposed.

The attackers leveraged the ProxyShell vulnerability to plant a backdoor web script which was used to run malicious code on the Exchange server. Attackers then took control of the system via the pass-the-hash technique, using Mimikatz to steal the NTLM hash. Hive then performed reconnaissance on the server, collected data and deployed the ransomware payload.

Learn More

Learn more about the open-source tool known as Mimikatz and how it is used in the wild, including an unusual use of the tool to strictly bypass brittle signature-based detections!Blog: Mimikatz in the Wild: Bypassing Signature-Based Detections Using the 'AK47 of Cyber'

Pass the Hash Mitigation

To prevent pass the hash attacks at the enterprise level, organizations must understand that traditional security best practices, such as setting strong password requirements and monitoring for multiple login attempts, will be of limited help for this particular attack method. Fortunately there are several other effective steps companies can take to prevent pass the hash attacks and limit their impact:

1. Limit network access and account privileges.

Organizations should also take steps to limit network access to contain the hacker’s movement and limit damage. Some techniques include:

  • Principle of least privilege (POLP): Principle of least privilege (POLP) is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job. It ensures only authorized users whose identity has been verified have the necessary permissions to execute jobs within certain systems, applications, data and other assets. It is widely considered to be one of the most effective practices for strengthening the organization’s cybersecurity posture, because it allows organizations to control and monitor network and data access.
  • Zero Trust: Zero Trust is a security framework requiring authentication, authorization and continuous validation of all users (whether in or outside the organization’s network) before receiving access to applications and data. It combines advanced technologies such as risk-based MFA, identity protection, next-generation endpoint security and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email and verifying the hygiene of assets and endpoints before they connect to applications.
  • Privileged access management (PAM): Privileged access management (PAM) is a cybersecurity strategy that focuses on maintaining the security or an administer account privileged credentials.
  • Identity segmentation: Identity segmentation is a method to restrict user access to applications or resources based on identities.
  • Reduce attack surface:  Disable legacy protocols like NTLM that have known vulnerabilities and are typically exploited by adversaries.

2. Implement an Identity Threat Detection and Response solution

A comprehensive Identity Threat Detection and Response (ITDR) solution like Falcon Identity Protection can help mitigate the risk of an adversary exploiting a Pass-the-Hash attack to start moving laterally or try to connect to an AD Domain Controller through RDP. With a sensor on the AD domain controller that can see all the authentication traffic as well as visibility into the endpoint, such a solution can correlate threats across endpoints and the identity layer to stop the adversary from proceeding. Alternatively, it can introduce friction in the form of an out-of-band MFA challenge that the adversary cannot overcome.

While typically MFA solutions by themselves cannot address an attack where the adversary has gotten hold of the password hash, Falcon Identity Protection can trigger an MFA flow as soon as it detects anomalous behavior or an identity-based threat Eg. request coming from a previously unused endpoint or user trying to run something in the Local Security Authority Subsystem Service (LSASS) process. That ensures the adversary cannot do any more damage even if they could successfully initiate the PtH attack.

3. Enforce IT hygiene.

An IT hygiene tool such as CrowdStrike Falcon Discover™ provides visibility into the use of credentials across the organization to detect potentially malicious admin activity. The account monitoring feature allows security teams to check for the presence of privileged accounts created by attackers to maintain access. It will also help ensure that passwords are changed regularly, so stolen credentials can’t be used forever.

4. Conduct regular penetration testing.

Penetration testing, sometimes referred to as pen testing or ethical hacking, is another important step organizations can take to protect themselves from identity-based attacks like pass the hash. Pen testing simulates a variety of real-world cyberattacks in order to test an organization’s cybersecurity capabilities and expose vulnerabilities. The test includes system identification, enumeration, vulnerability discovery, exploitation, privilege escalation, lateral movement and objectives.

5. Embrace proactive threat hunting.

True proactive threat hunting, such as CrowdStrike Falcon® OverWatch™, enables 24/7 hunting for unknown and stealthy attacks that utilize stolen credentials and are conducted under the guise of legitimate users. These are the types of attacks that standard measures can miss. Employing the expertise gained from daily “hand-to-hand combat” with sophisticated advanced persistent threat (APT) actors, the OverWatch team finds and tracks millions of subtle hunting leads daily to validate if they are legitimate or malicious, alerting customers when necessary.