Atomic Red Team Tools -2: Detect Pass the Hash Attack

NTLM hashing is a technique used to authenticate a user’s password to a Windows service. This method uses the hash of the password rather than the plain text of the password to authenticate a user with the service. It works by starting a new logon session with a fake identity and then replacing the session information with the domain, username, and NTLM hash provided during the login process.

Source: https://www.geeksforgeeks.org/pass-the-hash-pth-attack/

It should be noted that this modification process involves patching LSASS memory and patching the LSASS memory requires the use of local admin privileges, and it may not always be possible to do this if Protected Process Light (PPL) is enabled.

In general, it is possible to execute Mimikatz in the background of Beacon using the dedicated pth command.

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

Let’s test in our Lab 🙂 using Atomic Red Team tools:

To study more on how to dump Hashes please check this amazing: https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth

Atomic Red Team Tools: T1550.002 (Pass the Hash Attack)

As we can see from the above snippet, we can see the commands and how they were executed. When the commands are successfully executed, we can conduct a threat hunt in SIEM to detect the events.

Sysmon will record the process creation event for cmd.exe including the command line arguments \\\\.\\pipe\\16ca6d. This unusual pattern can be searched for in Kibana:

A successful pass-the-hash operation will also generate event 4624, which has the login type 9 as its logon. The executing user’s Logon ID is recorded in this event, so we can cross-reference this event with the event that recorded the process creation.

The TargetUserName and TargetOutboundUserName tells us that NT AUTHORITY\SYSTEM has impersonated Harryp.

To avoid the \\\\.\\pipe\\ indicator, we can execute Mimikatz manually and specify our own process.

If no /run parameter is specified, then cmd.exe is started. However, this can actually cause the process window to appear on the user’s desktop. This is less of a concern if you’re running as SYSTEM without any desktop session associated with it but has obvious implications otherwise.

Pass the hash events detected in SIEM ( ELK )

Sysmon events indicating the execution of processes.

Query to detect process executions

Alert Notification

Reference:

I appreciate you reading this blog. If you think it has been valuable, please give it a thumbs up. If you enjoy it, share with your friends and other members of your community. Stay tuned for the next blog!