A recent whitepaper published by Microsoft describes an attack known as Pass-the-Hash (PtH), which has become a common attack vector for credential theft. A PtH attack is where an attacker captures account logon credentials, but instead of capturing the clear text password, the attacker captures the password hash, which can then be re-used to logon to network services, because the password hash is an unsalted MD4 hash.
I’m not going to go into too much depth in this post, as the whitepaper provides comprehensive information on these attacks, which I highly recommend you read – Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques
Pass-the-Hash – Initial Attack
What is interesting about these types of attack is that they all start in the same manner. The attacker needs to gain local administrative access to a computer, in order to steal logon credentials from that computer. Once the attacker has compromised one computer, the compromised accounts are used to attack other computers on the network, including servers and domain controllers. This sequence is repeated, as the attacker is looking to steal the credentials of a higher privileged domain account, such as a domain administrator, at which point the attacker has control of all the computers and accounts under the administrative scope of that account. The attacker can compromise an entire infrastructure very quickly with this type of attack.
As Microsoft state in their paper, it is difficult to enhance the security of Windows to protect against these attacks with an operating system update or fix, and so the only way to prevent these attacks is to take proactive measures to limit and protect both local and domain privileged accounts. Two of the top four mitigation strategies that are rated as excellent, in terms of their effectiveness in mitigating PtH attacks, relate to the restriction and protection of local administrator accounts and the removal of standard users from the local administrators group.
Privilege Guard can help to mitigate PtH attacks, as it can protect against the initial attack vector and prevent the attack before it starts to move laterally to other computers on an organization’s network. With Privilege Guard there is no need for standard users to logon with a local administrator account, as privileges can be assigned directly to the applications that require elevated rights, which is controlled through centrally managed policy settings.
This prevents an attacker from gaining access to an administrator account, making it much more difficult to steal logon credentials and password hashes. Privilege Guard can also be applied to real system administrators, including server administrators. Limiting the number of domain privileged accounts and restricting the systems they can log on to is another one of the top four mitigation strategies. Effective management of privileged accounts can mitigate many targeted attacks and not just PtH attacks and with Privilege Guard this doesn’t need to be a difficult undertaking.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.