Pass-the-Hash is still a threat

Introduction

Pass-the-Hash is a very old technique that was originally published by Paul Ashton in 1997. Despite that Pass-the-Hash exists over more than a decade. It is used a lot in most ransomware attacks, like for example on the University of Maastricht. But why is this still a problem?

First of all, lets have a high-level overview on what this attack is. Pass-the-Hash is a technique whereby an attacker is capturing NT(LM) hash(es) from memory on a compromised workstation or server, after they have obtained local admin privileges. With those stolen credentials, they can open a new authentication session on behalf of a compromised user, and later on. Move laterally as that user with PsExec, WinRM, RDP, and so on.

There is not really a fix for Pass-the-Hash, because it leverages the SSO (Single-Sign On) protocol. Any system that uses SSO is vulnerable for a similar attack, like PtH. Since most organizations are using Active Directory as their identity service, where AD provides SSO as a main feature. It means that a lot of organizations have to deal with this problem or otherwise, they are not well defended against Pass-the-Hash.

SSO is an authentication process that allows users to sign in with one set credentials to access resources on the network without having to type their password again.

Imagine that you’re logged in as the user Bob, who’s a DBA, and you want to access the SQL database on the SQL server. Instead of typing your password again. You can just press ”Connect”

After you have pressed the connect button. You’re in and you have access to all the SQL databases that are listened.

The reason that you didn’t had to type your password again is, because Windows is caching your credentials in memory to provide the SSO experience.

This is also why you can’t fully prevent Pass-the-Hash, because it would mean that you had to kill Single-Sign-On. However, because it’s difficult to prevent this attack, it doesn’t mean that you can’t do anything about it. In matter of fact, Microsoft has provides a lot of guidance around this, that would mitigate this attack.

Credential AccessT1003

Before an attacker can execute a Pass-the-Hash attack. Credentials needs to be obtained first and all the credentials are stored in the LSASS process memory, so every time when a user logs in. His or her credentials are cached in memory to provide the SSO experience as we discussed before. Credentials are cached, when a user logs in to a machine, whether it’s locally, via RDP or it performs an action under another account via Runas.

Here is an example, where we extract credentials from memory on the WINDOWS2012 machine.

Now lets say that we have managed to trick Alice to log on our compromised machine. What would happen then?

Since Alice has logged on our compromised machine. Her credentials has left behind, which means that we now can extract credentials from memory and start impersonating Alice to access resources on her behalf.

Pass-the-Hash – T1705

We have now obtained the credentials from Alice, so we can now start executing a Pass-the-Hash attack to impersonate her and access all the resources on her behalf.

Now, because Alice has access to the FILESERVER. We can move laterally to this server as the user, Alice.

Since we have full admin privileges on the FILESERVER, we can now dump credentials on this server as well.

Now we have managed to get the credentials from Bob, because he recently logged on this server. Bob is a Domain Admin, so if we impersonate Bob. We have access to everything.

As we did before, we’re now going to execute a Pass-the-Hash attack to impersonate Bob and access resources on his behalf.

Data Exfiltration

We now can move laterally to the Domain Controller for example, which is also known as the most critical server, because it holds all the credentials of every user and computer.

Accessing the Domain Controller is just one thing, but exfiltrating data is the ultimate goal of an attacker. Attackers don’t care if they become DA or have access to a DC. It’s about the data that will hit your business, when it’s leaked.

This is an example, where we have access to the SQL server, because we’re already Domain Admin, but as said before. DA is irrelevant, and it’s about the data. Here is an example of all the SQL databases that are stored on a hard drive. Perhaps these data has a lot value to us, and it could create a business impact if this would get leaked out.

Detection

It has always been pretty difficult to detect Credential Access and Pass-the-Hash techniques, because lets face it. If it was so easy as we think it is. Most organizations would already have detection rules in place.

A great thing is that Microsoft has released Defender ATP, which is an EDR solution that leverages the power of the Cloud. If you had to pick one EDR solution. I would suggest to go for Defender ATP. It is a great solution to gain better visibility on all your endpoints and it makes life much easier, because you get no-time alerts through a portal.

Here is an example that we received after we extracted credentials from the LSASS process memory.

The above alert is related to another event, which is Pass-the-Hash.

Recommendation

The first thing is to make sure that you do the basics, which is ensuring that all your IT admins have a separate account for their administrative tasks and if you want to do it perfect. It’s even recommended to have a separate hardened workstation to perform all the administrative tasks on it.

The best way to mitigate Pass-the-Hash is to take a look at the Microsoft Administrative Tier Model – A security model that focus on mitigating credential theft by ensuring higher tiers can’t log on lower tiers and vice-versa.

  • Tier 0 = Domain Admins or equivalent that have access to all the most critical servers on the network
  • Tier 1 = Server Admins / System Administrators that have access to important servers, but they are not immediately ”critical”
  • Tier 2 = Workstation Admins / Helpdesk that have access to client’s workstation, but not the separate hardened workstations of Tier 1 & Tier 0 admins.

Now you might be wondering how it looks like, when you’re implementing this Tier Model. Perhaps you’re also wondered if your organizations has security measures in place to mitigate Pass-the-Hash.

Deploying the Administrative Tier Model can take a while, but it’s worth it. This is an example on how the design of an Tier model might look like in AD.

We have created a bunch of OU’s, and in those OU’s. It contains different objects. As an example. At the Tier 0 OU, we have different Child OU’s. You can see Devices and Tier 0 servers. In the Devices OU, it contains the separate hardened workstation of your Domain Admins or equivalent. In the Tier 0 Servers, it contains the most critical server objects with the likes of a Domain Controller, Azure AD Connect, ADFS, PKI, SCCM and so on.

Now there’s another OU called Tier 1 and it contains different Child OU’s, as well with the likes of Devices and Tier 1 Servers. In the Devices OU, it contains the separate hardened workstation of your Server Admins and at the Tier 1 Servers OU. It contains all the important servers, but not immediately critical.

After you have specified that. A GPO needs to be created and linked to the Devices & Tier 1 Servers OU, where you specifically deny logon rights for Domain Admins and equivalent (Tier 0 admins).

Here you can see that I have created a GPO with the deny logon rights to both the Devices and Tier 1 Servers. All the Tier 0 admins can’t log on to a device of a Tier 1 admin or to a Tier 1 server.

  • Deny access to this computer from the network
  • Deny log on as a batch job
  • Deny log on as a service
  • Deny log on locally
  • Deny log on through Remote Desktop Services

Lets verify that we can’t log on to a Tier 1 asset. As an example, we’re trying to log on the FILESERVER in Tier 1. Access is denied, because our GPO has denied logon access.

Now when we’re trying to PsExec to the FILESERVER, we get denied as well.

Last, but not least. There’s also the Tier 2, which contains all the workstations of the clients. This tier is managed by Helpdesk / Workstation Admins.

Another GPO needs to be created with the deny logon rights, but this time. We have to specify that both Tier 0 & Tier 1 admins are not allowed to log on clients their workstations and the separate workstations of your Tier 2 admins.

  • Deny access to this computer from the network
  • Deny log on as a batch job
  • Deny log on as a service
  • Deny log on locally
  • Deny log on through Remote Desktop Services

Now when we’re trying to RDP to a client’s workstation as a Tier 0/1 admin. We can’t, and access will be denied, because a client’s workstation is located in the Tier 2 zone.

A few examples what I often see, that might lead to bypassing the Tier model, is GPO’s that are linked to Tier 0 assets, where users from Tier 1 can modify the settings of it. Make sure that all the GPO’s that are linked to the Domain Object and all the Tier 0 assets are managed by Tier 0 admins as well.

Also it’s good to know that if you have service accounts in Domain Admins, and those service accounts are running as a service on a server with DA privileges. It would mean that you need to treat that server as a Tier 0 asset.

Other best practices, such as adding Tier 0 admins to the Protected Users and enabling the ”Account is sensitive and cannot be delegated” is something that you should do as well, but the Tier model with the separate hardened workstations for your admins is the number one priority.

Conclusion

The Administrative Tier Model is a great security architecture that mitigates credential theft, because higher tiers can’t log on lower tiers and vice-versa, which means that the credentials of a Domain Admin for example can’t never be exposed on a print server or a client’s workstation. Nothing is perfect, but deploying Tier model and having Defender ATP on all the workstations and servers would make the life of an attacker way harder.

If you didn’t had any similar security measures in place as shown above. We might conclude that you haven’t implemented the mitigations around Pass-the-Hash at all, which is fine, but it’s time to do it now.

Reference

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2

Microsoft Administrative Tier Model

Microsoft Defender Advanced Threat Protection

Published by Huy

I have no idea what I'm doing.

One thought on “Pass-the-Hash is still a threat

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: