How are hackers likely to move through your organization’s network—and how can your security team mitigate the risk?
The Cybersecurity and Infrastructure Security Agency (CISA) provides valuable insights in a new report on risk and vulnerability assessments (RVA), which lays out the top tactics, techniques, and procedures (TTP) used in red-team engagements. The study and a related infographic provide detailed findings from 37 RVAs. By showing how detection and response capabilities fell short in these cases, and by describing a sample attack path that hackers could take to exploit these gaps, the agency offers countless other organizations the opportunity to benefit from lessons learned.
The single most successful technique for lateral movement, for example, is “pass the hash,” which accounted for nearly 30% of lateral movement, CISA finds. Conti ransomware attacks on critical infrastructure and advanced persistent threats against think tanks have used this same technique. And so, building on CISA’s insights, let’s take a closer look at what “pass the hash” is, why it’s so dangerous, and how to counter it.
To understand this hacking technique, it helps to know a little IT history: On modern Windows systems, passwords are stored in the NThash (often referred to as NTLM) format. These hashes can be obtained by dumping the Security Account Manager (SAM) database on workstations, or the NTDS file on domain controllers, with tools such as Mimikatz. As security practices have evolved over time, authentication has changed from passing around plaintext credentials, to passing the hashed password, and finally to a challenge-and-response type scheme (Net-NTLMv2) that prevents replaying and “pass the hash” attacks. However, if the NThash can be obtained, it can still often be used to authenticate to a system. And best of all for the attacker, they don’t even need to know the user’s plaintext password!
This technique refuses to die. If the more secure challenge-and-response type authentication scheme were used exclusively, attack methods like “pass the hash” would not exist—but that's not the world we live in. Microsoft has been trying to fix pass the hash attacks for years now. “Pass the hash is dead”, red teams claimed back in 2014 when Microsoft released KB2871997 and set the LocalAccountTokenFilterPolicy. And indeed, this did make things more difficult for attackers by limiting success to the built-in administrator (RID 500) account. But “pass the hash” is still highly effective against many networks because the account is not disabled—or worse, has the same shared password across all workstations, making lateral movement very easy.
To counter-attack techniques like “pass the hash,” organizations need to understand how adversaries behave. That’s why Booz Allen has used SnapAttack, to analyze over 1,000 attacker techniques, including “pass the hash.” You can see an example from our threat library in the video below, where we use Metasploit on an attacker machine to dump the SAM database (via the hashdump command) and then use the exploit/windows/smb/psexec module to pivot from one Windows victim machine to another using the hash of the built-in Administrator account, which is the same on both machines.