Therefore, NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious. From a classic Pass-The-Hash perspective, this technique uses a hash through the NTLMv1 / NTLMv2 protocol to authenticate against a compromised endpoint. Monitor for user authentication attempts. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. Monitor newly created logons and credentials used in events and review for discrepancies. Windows Security events such as 4768 (A Kerberos authentication ticket (TGT) was requested) and 4769 (A Kerberos service ticket was requested) combined with logon session creation information may be indicative of an overpass the hash attempt. Monitor requests of new ticket granting ticket or service tickets to a Domain Controller. ĭo not allow a domain user to be in the local administrator group on multiple systems. Through GPO: Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy. Įnable pass the hash mitigations to apply UAC restrictions to local accounts on network logon.
#Hashtab review Patch#
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.Īpply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group. PoshC2 has a number of modules that leverage pass the hash for lateral movement. Pass-The-Hash Toolkit can perform pass the hash. Night Dragon used pass-the-hash tools to gain usernames and passwords. Mimikatz's SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands.
#Hashtab review software#
Kimsuky has used pass the hash for authentication to remote access software used in C2. HOPLIGHT has been observed loading several APIs associated with Pass the Hash. GALLIUM used dumped hashes to authenticate to other machines via pass the hash. Įmpire can perform pass the hash attacks.
ĬrackMapExec can pass the hash to authenticate via SMB. Ĭhimera has dumped password hashes for use in pass the hash authentication attacks. ĪPT32 has used pass the hash for lateral movement.
ĪPT28 has used pass the hash for lateral movement. The APT1 group is known to have used pass the hash.
0 kommentar(er)
