“Pass the hash” is a popular technique frequently used by adversaries for credential theft and lateral movement. In pass-the-hash attacks adversaries might use the password hash directly without cracking it and shave seconds on authenticating as a user. “Pass the hash” method relies on valid password hashes being captured from the victim’s servers by various hash-dumping tools. Obtained hashes are then reused by the attacker to trick the authentication system into launching a new authenticated session on the same network. Such an approach allows hackers to skip the long-lasting password-cracking or password-guessing procedures, and gain admin rights on the targeted instance.
“Pass the hash” is primarily used for lateral movement. It allows hackers to easily extract additional data and credentials from the initially compromised device. Then, adversaries might reuse this method to gain the right login details on other local or remote systems and eventually escalate the domain privileges to access the highly sensitive data.
Suspected Identity Theft (Pass-the-Hash) Rule Pack from SOC Prime helps to identify red flags of the pass-the-hash attack against your network by auditing all logon and credential use events:
- Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries)
- NTLM LogonType 3 authentications that are not associated with a domain login and are not anonymous logins