Pass The Hash: What is? and how can we detect it?

In this article we’ll focus in one of the most known attacks that are active today, Pass The Hash, mostly on technical definition, how it works and also how can we detect this behavior with some queries. 


Pass The Hash: What specifically is? 

We can get a lot of different definitions about this technique, but the most important thing to know is that, as attacker, I successfully make the “Pass the hash thing” if I can capture a  NTLM (Windows NT LAN Manager) password hash and use them as a common password without any use of Brute Force. This attack is very dangerous, because adversaries can get this information from stored places like SAM (Security Accounts Manager), LSASS (Local Security Authority Subsystem) or Credential Manager (if we focus just on Windows Security, because this technique can be applied on Linux and Unix also)


How it works?

In order to be simple and not create a very technical walkthrough of this technique (because the main objective of this website is to simplify some cybersecurity definitions that are today on Internet, in order to gain more attention from people, IT and non-IT, as well) Pass The Hash works using the hashes that some APIs transform from cleartext (that users put on a specific application) into one or two hashes (NT or LM) that then are used for NTLM authentication on remote servers. 


Examples

Let’s see some practical examples that was created by Red Canary and Mimikatz repo and will show us how we can identify some Pass The Hash activity:

PtH using Mimikatz:

Where the arguments means:

  • /user – the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.
  • /domain – the fully qualified domain name – without domain or in case of local user/admin, use computer or server name, workgroup or whatever.
  • /rc4 or /ntlm – optional – the RC4 key / NTLM hash of the user’s password.
  • /aes128 – optional – the AES128 key derived from the user’s password and the realm of the domain.
  • /aes256 – optional – the AES256 key derived from the user’s password and the realm of the domain.
  • /run – optional – the command line to run – default is: cmd to have a shell.

PtH using crackmapexec

So here’s the malicious command:

  • crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} 

Detection

It’s time to use sigma rules and queries to detect these two behaviors in our environments

Sigma:

Queries:

  • Splunk: ((CommandLine=”*sekurlsa::pth*” CommandLine=”*/user*” CommandLine=”*/domain*” CommandLine=”*ntlm*”) OR (CommandLine=”*crackmapexec*” CommandLine=”*-u*” CommandLine=”*-H*” CommandLine=”*-x*”)) | table CommandLine
  • Azure Sentinel: SecurityEvent | where EventID == 4688  | where ((CommandLine contains ‘sekurlsa::pth’ and CommandLine contains ‘/user’ and CommandLine contains ‘/domain’ and CommandLine contains ‘ntlm’) or (CommandLine contains ‘crackmapexec’ and CommandLine contains ‘-u’ and CommandLine contains ‘-H’ and CommandLine contains ‘-x’))
  • Elastic: ((process.command_line:*sekurlsa\:\:pth* AND process.command_line:*\/user* AND process.command_line:*\/domain* AND process.command_line:*ntlm*) OR (process.command_line:*crackmapexec* AND process.command_line:*\-u* AND process.command_line:*\-H* AND process.command_line:*\-x*))

So here’s this week’s article that hope helps you to inspire more and more. See you next week!

Leave a Comment